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STRIKING THE RIGHT BALANCE: PRO- 
TECTING OUR NATION’S CRITICAL INFRA- 
STRUCTURE FROM CYBER ATTACK AND EN- 
SURING PRIVACY AND CIVIL LIBERTIES 


Thursday, April 25, 2013 

U.S. House of Representatives, 
Subcommittee on Cybersecurity, Infrastructure 
Protection, and Security Technologies, 

Committee on Homeland Security, 

Washington, DC. 

The subcommittee met, pursuant to call, at 2:19 p.m., in Room 
311, Cannon House Office Building, Hon. Patrick Meehan [Chair- 
man of the subcommittee] presiding. 

Present: Representatives Meehan, Rogers, Daines, Perry, Clarke, 
Keating, Vela, and Horsford. 

Mr. Meehan. The Committee on Homeland Security Sub- 
committee on Cybersecurity, Infrastructure Protection, and Secu- 
rity Technologies will come to order. 

The subcommittee is meeting today to examine the balance be- 
tween preventing a cyber attack on our Nation’s critical infrastruc- 
ture and ensuring privacy and civil liberties are protected. I will 
recognize myself for an opening statement. 

I would like to welcome everyone to today’s hearing, which is ti- 
tled, “Striking the Right Balance: Protecting Our Nation’s Critical 
Infrastructure From Cyber Attack and Ensuring Privacy and Civil 
Liberties.” During this Congress, our subcommittee has been exam- 
ining the cybersecurity threat to individuals and to our critical in- 
frastructure. Our Nation has made great strides, but the threat is 
multi-faceted and we are only as strong as our weakest link. 

Earlier this week, we saw the ramifications of a hacked Twitter 
account that nearly sent our financial markets into a tailspin. 
While the Dow Jones Industrial Average has to recoup their losses, 
the lesson is clear: We are in an interconnected world. A successful 
attack on one network will certainly impact others. 

The Department of Homeland Security plays a crucial role in 
preventing cyber attacks on our Governmental and critical infra- 
structure key resources. As Chairman McCaul and I and the Rank- 
ing leadership work together, we have continued to use our efforts 
to craft legislation to bolster existing structures and improve the 
capabilities of the Department of Homeland Security. One of the 
key challenges will be to strike the balance of securing our net- 
works and ensuring our protections for our citizens. 

( 1 ) 
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Upon assuming the gavel of this subcommittee this year, I made 
sure I immediately reached out to leading privacy advocates. 
Groups like the American Civil Liberties Union and Center for De- 
mocracy & Technology have been instrumental in shaping the 
thinking as we have moved forward with the committee’s work. In- 
deed, we must make clear that the purpose of sharing information 
is to prevent a cyber attack and nothing else. Any intelligence 
shared with the Government or with public or private entities must 
include protections for consumers and individuals. 

In order to accomplish this, we must ensure that we have a full 
understanding, first, what the threat is; next, what type of intel- 
ligence is necessary to share to prevent an attack; then what type 
of information is inadvertently caught in the net; and furthermore, 
what may be done once it is identified? The answer to these ques- 
tions, coupled with robust civilian oversight, a clear set of rules of 
conduct and liability protections for those acting in good faith will 
help shape the key policy initiatives for our subcommittee. 

I need to be clear and I think all of us share that right out front 
that the committee is not concerned with internet habits of ordi- 
nary Americans. It is our duty as Members of this committee to 
make sure that the Department does not monitor, collect, or store 
the on-line activity of law-abiding American citizens. Therefore, in- 
formation that permits the identity of an individual to be directly 
or indirectly inferred, which is also referred to as personally identi- 
fiable information, must be protected. 

The Department of Homeland Security has significant inherent 
advantages that enable the Department to facilitate communication 
among 16 critical infrastructure sectors. The Department of Home- 
land Security Privacy Office is the first statutorily required privacy 
office in any Federal agency. The office is responsible for evaluating 
Department operations for potential privacy impacts and providing 
mitigation strategies to reduce the privacy impact. 

By employing Fair Information Practice Principles, or FIPPs, as 
it is known, the DHS Privacy Office is charged with ensuring that 
the Department’s data collection methods are transparent, have 
specified purposes, and include data minimization, use limitation, 
data quality and integrity, security, accountability, and auditing. 
Those are FIPPs principles. 

It is for these reasons that many intelligence and cybersecurity 
experts point to DHS as manning a significant role in combating 
the threat. In fact, the Director of the National Security Agency, 
General Keith Alexander, said that due to the Department’s trans- 
parency, he sees DHS as an entry point for working with industry. 

Building our Nation’s capacity to prevent cyber attacks is com- 
plex as it is essential. As a former United States attorney, I can 
tell you that the Department of Justice has a very important role 
to play in enforcing our cyber crime laws. We also must permit our 
military and foreign intelligence capabilities and those resources to 
protect our Nation’s defense. Equally as important, the Department 
of Homeland Security has the mission of defending our Nation’s 
key resources and the liberties guaranteed by our Constitution. 

We have an excellent panel of witnesses today who will help us 
answer these questions and hopefully help us find the balance. 
Moving forward, today’s hearing aims to examine how DHS cur- 
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rently protects privacy and personally identifiable information. It 
addresses the legitimate privacy concerns that are inherent in 
sharing cybersecurity threat information and finds ways to strike 
that proper balance between privacy and security. No one should 
mistake the common cause of securing our homeland for authority 
to violate the civil liberties of Americans. 

The Chairman now recognizes the Ranking Minority Member, 
the gentlelady from New York, Ms. Clarke, for any statement she 
may have. 

Ms. Clarke. Mr. Chairman, I thank you for holding today’s hear- 
ing. I am pleased to be joined today by this very distinguished 
panel of witnesses, and I would like to welcome Mary Ellen Cal- 
lahan back to the committee for her first time since leaving the De- 
partment. 

Here on the Homeland Security committee, we have understood 
the need to balance security and privacy for quite some time. Pro- 
tecting our Nation from 21st Century threats requires vigorous co- 
ordinated action from our Government and State, local, private sec- 
tor, and international partners. But if we go overboard to identify 
and eliminate every conceivable threat at any cost, we risk tram- 
pling the very rights of citizens we aim to protect. The need to find 
that proper balance has been a cornerstone of our committee’s work 
on counterterrorism, on transportation security and certainly on to- 
day’s topic, cybersecurity. 

Most of the Government’s efforts in cybersecurity do not directly 
touch upon privacy issues, and that is an important distinction 
that is not made often enough. Many programs, such as the De- 
partment of Homeland Security’s EINSTEIN program, do not in- 
volve the collection or sharing of any kind of personally identifiable 
information at all. The vast majority of all of the information need- 
ed to thwart cyber attacks consists of technical data, such as IP ad- 
dresses and malicious code, which has little or nothing to do with 
someone’s social security number or passwords. 

But where the private sector needs to share information with the 
Government to stop cyber attacks, every precaution must be taken 
to ensure the privacy of our citizens is ensured. 

Last month, we heard from the American Civil Liberties Union 
on the importance of protecting privacy in cyberspace. I am pleased 
that we are joined today by three witnesses, who can really speak 
to the nuts and bolts of challenges, protecting private data from 
both the Government and business perspectives. As we look toward 
crafting our own legislation to help protect critical infrastructure 
and improve our Nation’s cybersecurity efforts, it is important to 
really nail down the specifics of protecting privacy. 

In order to get our approach to cybersecurity and privacy right, 
we must examine it from all the angles. We must assess the cur- 
rent legal environment and identify challenges that companies 
must cope with in ensuring the privacy and security of their em- 
ployees’ and customers’ data. We must determine the types of infor- 
mation needed by the Government to prevent the attacks and the 
intended uses of that information. We must examine how commer- 
cial cybersecurity providers interact with their customers and the 
Government to share threat information. 
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Thankfully, our witnesses today cover the breadth of these issues 
with their testimony. 

I am particularly pleased we are joined by Harriet Pearson, who 
is one of the Fortune 1,000 first chief privacy officers and has been 
a trailblazer for developing information policies and practices for 
protecting the private data of employees — excuse me, consumers. 

Every American values their privacy and civil liberties as well as 
their security in cyberspace. I am confident that in building a last- 
ing solution to our cybersecurity, we can adopt measures that will 
satisfy privacy advocates, the business community, and our citi- 
zens. 

That ends my statement, Mr. Chairman, and I yield back the 
balance of my time. 

[The statement of Ranking Member Clarke follows:] 

Statement of Ranking Member Yvette D. Clarke 
April 25, 2013 

Here on the Homeland Security Committee, we have understood the need to bal- 
ance security and privacy for a long time. Protecting our Nation from 21st Century 
threats requires vigorous, coordinated action from our Government and State, local, 
private-sector, and international partners. 

But if we go overboard to identify and eliminate every conceivable threat at any 
cost, we risk trampling the very rights of the citizens we aim to protect. The need 
to find that proper balance has been a cornerstone of our committee’s work, on 
counterterrorism, on transportation security, and certainly on today’s topic, cyberse- 
curity. 

Most of the Government’s efforts in cybersecurity do not directly touch upon pri- 
vacy issues, and that is an important distinction that is not made often enough. 
Many programs, such as the Department of Homeland Security’s EINSTEIN pro- 
gram, do not involve the collection or sharing of any kind of personally identifiable 
information at all. 

And the vast majority of the information needed to thwart cyber attacks consists 
of technical data such as IP addresses and malicious code, which has little or noth- 
ing to do with someone’s social security number or passwords. But where the private 
sector needs to share information with the Government to stop cyber attacks, every 
precaution must be taken to ensure that the privacy of our citizens is ensured. 

Last month we heard from the American Civil Liberties Union on the importance 
of protecting privacy in cyberspace, and I am pleased that we are joined today by 
three witnesses who can really speak to the nuts-and-bolts challenges of protecting 
private data, both from the Governmental and business perspectives. 

As we look towards crafting our own legislation to help protect critical infrastruc- 
ture and improve our Nation’s cybersecurity efforts, it is important to really nail 
down the specifics on protecting privacy. 

In order to get our approach to cybersecurity and privacy right, we must examine 
it from all the angles: 

• We must assess the current legal environment and identify challenges that com- 
panies must cope with in ensuring the privacy and security of their employees 
and customers’ data; 

• We must determine the types of information needed by the Government to pre- 
vent attacks, and the intended uses for that information; 

• And we must examine how commercial cybersecurity providers interact with 
their customers and the Government to share threat information. 

Thankfully, our witnesses today cover the breadth of these issues with their testi- 
mony. I am particularly pleased that we are joined by Harriet Pearson, who was 
one of the Fortune lOOO’s first chief privacy officers, and has been a trailblazer for 
developing information policies and practices for protecting the private data of em- 
ployees and consumers. 

Every American values their privacy and civil liberties as well as their security 
in cyberspace, and I am confident that in building a lasting solution to our cyber 
insecurity, we can adopt measures that will satisfy privacy advocates, the business 
community, and our citizens. 

Mr. Meehan. I thank you, Ranking Member. 
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The other Members of the committee are reminded that opening 
statements may be submitted for the record. 

[The statement of Ranking Member Thompson follows:] 

Statement of Ranking Member Bennie G. Thompson 
April 24, 2013 

We are here to discuss ways to secure cyberspace and critical infrastructure from 
hackers while assuring that Constitutionally-guaranteed privacy and civil liberties 
are safeguarded. 

In the last 10 years, our society has become increasingly connected by computer 
networks. Networking technologies have changed our traditional notions of time and 
space. Our ability to reach the farthest corner of the earth has grown while the dis- 
tance between us has shrunk. The world and all it has to offer is a click away and 
can be viewed on a screen in front of us. 

But this unprecedented connectivity and convenience has not come without a 
price. We face new kinds of dangers that may come for us at any time from any 
corner of the globe. Destruction can be delivered with a keystroke. 

Unfortunately, cyber attacks are increasing. This Nation cannot unnecessarily 
delay implementation of cybersecurity programs to combat these threats. Those ef- 
forts must include responsible collaboration between private industry and the Gov- 
ernment to ensure the greatest care is given to our citizens’ private data. The pro- 
tections we put in place and the information we share to combat the threats must 
not undermine the privacy that each American rightfully regards as a fundamental 
freedom. 

Working together, we can create a legal framework which encourages businesses 
to share enough information to reduce the likelihood of intrusions and prevent fu- 
ture harm without compromising privacy. 

But, Mr. Chairman, perhaps the most important weapon in our arsenal to protect 
privacy is ensuring that the Government’s efforts are led by a civilian agency. Infor- 
mation sharing with Federal civilian agencies will provide the public with a sense 
of increased transparency and accountability because Congressional oversight and 
public information requests will enable Members of this body and members of the 
public to peek behind the curtain, ask questions, and find out what is happening. 

That is why I was proud to sponsor, with Chairman McCaul, an amendment to 
the Cyber Intelligence Sharing and Protection Act, which firmly established a center 
at the Department of Homeland Security to serve as the hub for cyber threat infor- 
mation sharing. As you know, this amendment was approved. 

Mr. Chairman, I thank you for holding today’s hearing to bring the privacy ques- 
tion into sharp focus. In the coming months, I look forward to introducing legislation 
to further improve our Nation’s cybersecurity posture, with a special emphasis on 
privacy implications. I would like to thank our witnesses for joining us today. I look 
forward to hearing the testimony. 

Mr. Meehan. We really are pleased to have a very distinguished 
panel of witnesses before us today on this important topic. I don’t 
think that there could have been a better group assigned, but this 
is a remarkably important issue, and I think you have the ability 
to help the American citizens understand where this area is in 
which important work is done to allow us to protect our homeland, 
but simultaneously significant and important work is being done 
and can be done to help us ensure that we protect the privacy in- 
terests of Americans. So I am hoping that we can educate those 
who don’t really understand in this complex area what the param- 
eters are. 

We have in this panel Ms. Mary Ellen Callahan, who we have 
had the privilege of having before this committee before, a Nation- 
ally recognized privacy attorney with an extensive background in 
consumer protection law. As the longest-serving former chief pri- 
vacy officer of the United States Department of Homeland Security, 
the first statutorily-mandated privacy officer in any Federal agen- 
cy, Ms. Callahan has a unique and broad knowledge of experience 
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with the interface of protection of privacy, civil rights, and civil lib- 
erties with cybersecurity and National security issues. 

During her tenure at the Department of Homeland Security, Ms. 
Callahan also served as the chief Freedom of Information Officer, 
responsible for centralizing both FOIA and Privacy Act operations 
to provide policy and programmatic oversight and support imple- 
mentation across the Department. 

Ms. Callahan is a founder and chair of Jenner & Block’s privacy 
information governance practice. 

We have Ms. Cheri McGuire, who serves as vice president for 
global government affairs and cybersecurity policy at Symantec, 
where she is responsible for managing a global team focused on cy- 
bersecurity, data integrity, and privacy issues. Prior to joining 
Symantec, Ms. McGuire served as the director of critical infrastruc- 
ture in cybersecurity in Microsoft’s Trustworthy Computing Group 
and also as Microsoft’s representative to the Industry Executive 
Subcommittee on the President’s National Security Telecommuni- 
cations Advisory Committee. Prior to joining Microsoft Ms. 
McGuire served in numerous capacities at DHS including as acting 
director and deputy director of the National Cybersecurity Division 
and US-CERT. 

We are very pleased to be joined as well by Ms. Harriet Pearson, 
a partner at Hogan Lovells, where she focuses on counseling clients 
on privacy and information security policy in compliance matters, 
data security incident response and remediation and information in 
cybersecurity risk management and governance. Ms. Pearson 
joined Hogan from IBM Corporation where she served as vice presi- 
dent, security counsel, and chief privacy officer. At IBM, she was 
responsible for information policy and practices affecting over 
400,000 employees and thousands of clients. She also lead IBM’s 
global engagement public policy and industry initiatives relative to 
cybersecurity and data privacy. I think that outlines the tremen- 
dous qualifications and experience of this very, very distinguished 
panel. 

So the witnesses’ full statements will appear in the record. 

The Chairman now recognizes Ms. Callahan for her testimony. 

STATEMENT OF MARY ELLEN CALLAHAN, PARTNER, JENNER 

& BLOCK, AND FORMER CHIEF PRIVACY OFFICER, U.S. DE- 
PARTMENT OF HOMELAND SECURITY 

Ms. Callahan. Thank you very much, sir. 

Chairman Meehan, Ranking Member Clarke, distinguished 
Members of the subcommittee, thank you for the opportunity to ap- 
pear before you again today. 

My name is Mary Ellen Callahan, and I am a partner at the law 
firm of Jenner & Block, where I chair the privacy and information 
governance practice and counsel private-sector clients on inte- 
grating privacy and cybersecurity. 

As the Chairman noted, from March 2009 to August 2012, I 
served as the chief privacy officer at the U.S. Department of Home- 
land Security. I have worked as a privacy professional for 15 years 
and have National and international experience in integrating pri- 
vacy into business and Government operations. I am appearing be- 
fore this subcommittee in my personal capacity. 
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As the subcommittee knows and as Ms. McGuire will detail more 
thoroughly, the United States critical infrastructure faces signifi- 
cant cybersecurity threats. However, cybersecurity and privacy 
must be integrated in order to effectively — most effectively protect 
those valuable assets. 

The Department of Homeland Security has taken multiple steps, 
including several during my 31/2-year tenure to integrate privacy 
into the DHS cybersecurity programs. First, as the Chairman no- 
ticed, DHS has thoroughly integrated the Fair Information Practice 
Principles into all of its programs, including cybersecurity. The 
FIPPs are eight interdependent principles that create a framework 
for how information may be used and shared in a manner that pro- 
tects privacy: Transparency; individual participation; purpose spec- 
ification; data minimalization; use limitation; data quality and in- 
tegrity; security; and accountability and auditing. 

DHS has furthermore been very transparent about its cybersecu- 
rity capabilities. For example, DHS published several privacy im- 
pact assessments, or PIAs, detailing pilot programs and informa- 
tion sharing among and between different entities, including a pilot 
program with the National Security Agency and an information- 
sharing program with the defense industrial base. 

The Department engaged privacy advocates and private-sector 
representatives on its cybersecurity activities through a Federal ad- 
visory committee subcommittee, multiple meetings with advocates, 
and with Congressional testimony such as before this committee. 

The Department has already hired multiple cybersecurity privacy 
professionals in order to embed them into the infrastructure at 
DHS. These privacy professionals review and provide comments 
and insight into cybersecurity standard operating procedures, 
statements of work, contracts, and international cyber information- 
sharing agreements. These privacy professionals also provide cyber- 
specific privacy training to the cybersecurity analysts to supple- 
ment the privacy training required for DHS employees and contrac- 
tors. 

Furthermore, an important tenet of the FIPPs is the concept of 
accountability. Given the importance of the DHS mission in cyber- 
security, the DHS Privacy Office conducted a privacy compliance 
review in late 2011. My office found that the cybersecurity program 
was generally compliant with the requirements outlined with cy- 
bersecurity privacy impact assessments. This compliance review is 
available in the DHS Privacy Office website, as are all the privacy 
documents referenced in my written testimony. 

Since I left DHS, I know through public knowledge that the De- 
partment continues to work to embed privacy protections into its 
cybersecurity activities. For example, its advisory committee, the 
Data Privacy and Integrity Advisory Committee, issued a robust 
paper for DHS to consider when implementing information-sharing 
pilots and programs with other entities, including the private sec- 
tor. Furthermore, in January 2013, DHS published a thoughtful 
and comprehensive privacy impact assessment covering the en- 
hanced cybersecurity surfaces, also known as ECS — we have a lot 
of acronyms, and I am sorry about that — ECS is voluntary program 
based on the sharing of indicators of malicious cyber activity be- 
tween DHS and participating commercial service providers. 
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The information-sharing implementation standards described in 
the ECS PIA are concrete examples of privacy by design and 
should well position DHS to effectively implement the increased in- 
formation sharing mandated in the 2013 Executive Order. In addi- 
tion, just this week, the Department announced that it will deploy 
EINSTEIN 3 accelerated, Imown as E3A, network intrusion pre- 
vention capabilities on Federal Government networks as a man- 
aged security service provided by ISPs, rather than placing the en- 
tire response on the Federal Government. 

DHS will share threat information it receives through E3A con- 
sistent with its existing policies and procedures. The way E3A is 
structured should enhance privacy, protect the Federal civilian Ex- 
ecutive branch departments and agencies, and provide a nimble re- 
sponse to the evolving cyber threat. 

The continued integration of privacy and cybersecurity is crucial 
for effective cybersecurity protections. In my 15 years, it is clear 
that privacy integration into the operational aspects of any activity 
makes the program both more effective and more likely to protect 
privacy. I believe DHS has appropriately and effectively integrated 
privacy and cybersecurity, both in its Federal Executive respon- 
sibilities and as an information-sharing responsibility. 

Thank you for the opportunity to appear before you this after- 
noon. I am happy to take any questions. 

[The prepared statement of Ms. Callahan follows:] 

Prepared Statement of Mary Ellen Callahan 
April 25, 2013 

Chairman Meehan, Ranking Member Clarke, distinguished Members of the sub- 
committee, thank you for the opportunity to appear before you today. My name is 
Mary Ellen Callahan. I am a partner at the law firm of Jenner & Block, where I 
chair the Privacy and Information Governance practice and counsel private-sector 
clients on integrating privacy and cybersecurity. From March 2009 to August 2012, 
I served as the chief privacy officer at the U.S. Department of Homeland Security 
(DHS or Department). I have worked as a privacy professional for 15 years, and 
have National and international experience in integrating privacy into business and 
Government operations. I am appearing before this subcommittee in my personal ca- 
pacity, and not on behalf of any other entity. 

As this subcommittee knows, the United States’ critical infrastructure, including 
Government assets, face significant cybersecurity threats. Cybersecurity and privacy 
must be integrated in order to most effectively protecting valuable assets. Further- 
more, if done right, increased cybersecurity (with appropriate standards and proce- 
dures) also means increased privacy. 

The Department of Homeland Security has taken multiple steps to integrate cy- 
bersecurity and privacy as part of the Department’s cybersecurity mission. In fact, 
DHS has integrated privacy into its cybersecurity program since the EINSTEIN pro- 
gram was launched in late 2003. Shortly thereafter, the Department published one 
of the its first Privacy Impact Assessments (PIA) on EINSTEIN 1 (a network flow 
system), detailing the privacy protections that DHS embedded into its cybersecurity 
program from the beginning, and being transparent about those protections.'^ In 
2008, DHS conducted a PIA on the second iteration of the DHS cybersecurity pro- 
gram, EINSTEIN 2 (adding an intrusion detection capability).^ These PIAs exem- 


' EINSTEIN 1, developed in 2003, provides an automated process for collecting computer net- 
work security information from voluntary participating Federal executive agencies. It works by 
analyzing network flow records. Even though DHS was not required to do a PIA given no per- 
sonally identifiable information (PII) was being collected, DHS conducted a PIA (DHS/NPPD/ 
PIA/001) on EINSTEIN 1 in September 2004 for transparency, available at: httpil / 
www.dhs.gov I xlibrary I assets I privacy / privacy pia einstein.pdf. 

2 As with EINSTEIN 1, EINSTEIN 2 passively observes network traffic to and from partici- 
pating Federal Executive Branch departments and agencies’ networks. In addition, EINSTEIN 
2 adds an intrusion detection system capability that alerts when a pre-defined specific cyber 
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plify the concept of “privacy by design” and are important foundational consider- 
ations for a large operational department like DHS. 

I. DHS INTEGRATION OF PRIVACY PROTECTIONS INTO ITS CYBERSECURITY PROGRAMS 

During my 3y2-year tenure at DHS, we further integrated privacy into the DHS 
cybersecurity programs in several ways. 

1. Integration of the Fair Information Practice Principles into DHS Cybersecurity 
Programs. — ^As noted below, DHS has thoroughly integrated the Fair Informa- 
tion Practice Principles (FIPPs) into its cybersecurity programs. The FIPPS are 
the “widely-accepted framework of defining principles to be used in the evalua- 
tion and consideration of systems, processes, or programs that affect individual 
privacy.”® 

The FIPPs are eight interdependent principles that create a framework for how 
information may be used and shared in a manner that protects privacy: Trans- 
parency; individual participation; purpose specification; data minimization; use 
limitation; data quality and integrity; security; and accountability and audit- 
ing.4 During my tenure, my office worked tirelessly to integrate the FIPPs into 
all DHS programs, including cybersecurity. 

2. Transparency. — DHS has been very transparent about its cybersecurity capa- 
bilities. During my tenure, DHS published several PIAs detailing pilot programs 
and information sharing among and between different Government entities. 
First, DHS discussed via PIA a 12-month proof of concept to determine the ben- 
efits and issues presented by deploying the EINSTEIN 1 capability to Michigan 
State government networks managed by the Michigan Department of Informa- 
tion Technology.® Shortly thereafter, DHS completed both a classified and un- 
classified PIA for the “Initiative Three Exercise”® of the Comprehensive Na- 
tional Cybersecurity Initiative.”'^ In the Initiative Three Exercise, DHS engaged 
in an exercise to demonstrate a suite of technologies that could be included in 
the next generation of the Department’s EINSTEIN network security program, 
such as an intrusion prevention capability. This demonstration used a modified 
complement of system components then being provided by the EINSTEIN 1 and 
EINSTEIN 2 capabilities, as well as a DHS test deployment of technology devel- 
oped by the National Security Agency (NSA) that included an intrusion preven- 
tion capability. The DHS Privacy Office worked with DHS and the NSA to be 
as transparent as possible with the Exercise, including naming NSA (and its 
role in the Exercise) expressly in the PIA. 

In early 2012, DHS published a PIA on its information-sharing pilot with the 
Defense Industrial Base;® after 180 days and a series of evaluations of its effec- 
tiveness, the PIA was updated to reflect the establishment of a permanent pro- 
gram to enhance cybersecurity of participating Defense Industrial Base entities 
through information-sharing partnerships. The permanent program was an- 
nounced via PIA shortly before my departure.® 

Furthermore, one of my last acts as Chief Privacy Officer was to approve a com- 
prehensive PIA that described the entire National Cybersecurity Protection Sys- 


threat is detected and provides the US— CERT with increased insight into the nature of that ac- 
tivity. The May 2008 PIA {DHS/NPPD/PIA-008) is available at: http: j livww.dhs.gov I xUbrary I 
assets / privacy 1 privacy pia einstein2.pdf. 

^National Strategy for Trusted Identities in Cyberspace, April 2011, available at: http:! ! 
www.whitehouse.gov I sites ! default ! files I rss viewer I NSTlCstrategy 041511.pdf. 

4 DHS adopted the eight FIPPs as a framework for Privacy Policy on December 29, 2008; see 
DHS Privacy Policy Guidance Memorandum 2008-01, available at: http: 1 1 www.dhs.gov I 
xlibrary I assets I privacy / privacy policyguide 2008-01.pdf 

^Privacy Impact Assessment Update for the EINSTEIN 1: Michigan Proof of Concept, Feb- 
ruary 19, 2010, (DHS/NPPD/PIA— 013) available at: http: I ! www.dhs.gov ! xlibrary ! assets ! 
privacy ! privacy pia nppd einsteinlmichigan.pdf. 

® US-CERT: Initiative Three Exercise Privacy Impact Assessment ( unclassified), March 18, 
2010, (DHS/NPPD/PIA-014) available at: http: ! j www.dhs.gov j xlibrary ! assets (privacy ! 
privacy pia nppd initiative3.pdf. 

See http: ( I www. whitehouse.gov I cybersecurity / comprehensive-national-cybersecurity -initiative 
for a description of all 12 cybersecurity initiatives. 

^Privacy Impact Assessment for the National Cyber Security Division Joint Cybersecurity Serv- 
ices Pilot (JCSP), January 16, 2012, {DHS/NPPD/PIA— 021) available at: http: II www.dhs.gov ( 

xlibrary ! assets ! privacy ! privacy nppd jcsp pia.pdf (N.B., this PIA has been retired with the 

release of the ECS PIA in January 2013, referenced below). 

^Privacy Impact Assessment Update for the Joint Cybersecurity Services Program (JCSP), De- 
fense Industrial Base (DIB) — Enhanced Cybersecurity Services (DECS), July 18, 2012, (DHS/ 
NPPD/PIA— 021(a)) available at: http: ( lwww.dhs.gov ! xlibrary ( assets ! privacy ! privacy-pia-up- 
date-nppd-jcps.pdf. (N.B., this PIA update has been retired with the release of the ECS PIA in 
January 2013, referenced below). 
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tern (NCPS), a programmatic PIA that explains and integrates all the NPPD/ 
Cybersecurity and Communication (CS&C) cyber programs in a holistic docu- 
ment, rather than the previous patchwork PIAs that were snapshots in time of 
CS&C capabilities A® This NCPS PIA helps provide a comprehensive under- 
standing of the CS&C cybersecurity program, further increasing transparency. 

3. Outreach and engagement with advocates and private-sector representatives . — 
The Department engaged privacy and civil liberties advocates and private-sector 
representatives about its cybersecurity activities in several ways. First, as part 
of the Cyberspace Policy Review conducted by the administration in 2009,^^ the 
Department met with privacy and civil liberties advocates and academicians (at 
a Top Secret/SCI level) to discuss the Advanced Persistent Threat landscape, 
and Government response. That ad hoc meeting led to the creation of a sub- 
committee of DHS’ Federal Advisory Committee Act-authorized committee, the 
Data Privacy and Integrity Advisory Committee (DPIAC).^^ The members and 
the experts on the DPIAC subcommittee (including privacy and civil liberties 
advocates, academicians, and private-sector representatives) were briefed fre- 
quently at the Top Secret/SCI level. After my departure, the DPIAC sub- 
committee produced an excellent report on integrating privacy into the DHS in- 
formation-sharing pilots and programs, discussed below. 

In addition to the systematic engagement of advocates, academicians, and pri- 
vate-sector representatives through the DPIAC subcommittee, DHS also dis- 
cussed its embedded privacy and cybersecurity protections in several public 
fora, including Congressional testimony,^^ public articles, and multiple public 
presentations before the DPIAC on DHS cyber activities. 

The DHS Privacy Office (and NPPD) also frequently met with privacy advocates 
to discuss cybersecurity considerations, either when a new program or initiative 
was announced, or during the quarterly Privacy Information for Advocates 
meetings instituted in 2009.^® 

4. Dedicated Cyber Privacy Personnel. — To be engaged and be able to effectively 
integrate privacy protections, the Department has hired multiple cyber privacy 
professionals. These cyber privacy professionals focus on integrating the FIPPs 
of purpose specification, data minimization, use limitation, data quality and in- 
tegrity, and security systematically into NCSD activities. For example, the Sen- 


'^^National Cybersecurity Protection Program Privacy Impact Assessment, July 30, 2012, (DHS/ 
NPPD/PIA— 026) available at: http: / / www.dhs.gov / sites / default j files / publications / privacy / 
privacy-pia-nppd-ncps.pdf. 

Cyberspace Policy Review: Assuring a Trusted and Resilient Information and Communica- 
tions Infrastructure, 2009, available at: http:! ! www.whitehouse.gov ! assets ! documents ! 
Cyberspace Policy Review final.pdf. 

12 The DHS Data Privacy and Integrity Advisory Committee provides advice at the request 
of the Secretary of Homeland Security and the DHS Chief Privacy Officer on programmatic, pol- 
icy, operational, administrative, and technological issues within the DHS that relate to PII, as 
well as data integrity and other privacy-related matters. The committee was established by the 
Secretary of Homeland Security under the authority of 6 U.S.C. §451 and operates in accord- 
ance with the provisions of the Federal Advisory Committee Act (FACA) (5 U.S.C. App). 

13 See, e.g.. The Cybersecurity Partnership Between the Private Sector and Our Government: 
Protecting Our National and Economic Security, Joint Committee Hearing before Senate Com- 
mittee on Homeland Security and Governmental Affairs and Senate Committee on Commerce, 
Science, and Transportation, March 7, 2013 (testimony of Secretary Janet Napolitano); DHS Cy- 
bersecurity: Roles and Responsibilities to Protect the Nation’s Critical Infrastructure, Hearing be- 
fore House Committee on Homeland Security, March 13, 2013 (testimony of Deputy Secretary 
Jane Holl Lute); Examining the Cyber Threat to Critical Infrastructure and the American Econ- 
omy, Hearing before House Committee on Homeland Security, March 16, 2011 (testimony of 
NPPD Deputy Under Secretary Philip Reitinger). 

i^See, e.g.. Securing Cyberspace While Protecting Privacy and Civil Liberties, Homeland Secu- 
rity Blog (by Secretary Janet Napolitano), April 2, 2013, available at: http:! / www.dhs.gov / blog! 
2013 1 04 1 02 1 securing-cyberspace-while-protecting-privacy-and-civil-liberties; Op-Ed: A Civil Per- 
spective on Cybersecurity, (Jane Holl Lute and Bruce McConnell), WIRED, February 14, 2011, 
available at: http:! ! www.wired.com ! threatlevel ! 2011 ! 02 ! dhs-oped ! all ! . 

See, e.g., on March 18, 2010, Deputy Assistant Secretary for Cybersecurity and Communica- 
tions Michael A. Brown presented to DPIAC on computer network security and related privacy 
protections in DHS, including the Department’s role in the CNCI (focusing on the DHS Privacy 
Office’s work on PIAs for EINSTEIN 1, EINSTEIN 2, and the proof-of-concept pilot project of 
the EINSTEIN 1 capabilities with the U.S. Computer Readiness Team and the State of Michi- 
gan), the National Cyber Incident Response Plan (NCIRP), and the National Cybersecurity and 
Communications Integration Center, US-CERT, DHS I&A, and the National Cybersecurity Cen- 
ter; on July 11, 2011, the Senior Privacy Officer for NPPD Emily Andrew described how her 
office was integrated into the NPPD structure. 

See DHS Privacy Office Annual Report, July 2009 to June 2010 at 66 for a discussion of 
the Privacy Information for Advocates quarterly meetings, available at: http: U www.dhs.gov j 
xlibrary I assets I privacy I privacy rpt annual 2010.pdf. 
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ior Privacy Officer for the National Protection and Program Directorate (report- 
ing to the Directorate leadership) was hired in August 2010; she has a dedi- 
cated privacy analyst on-site with CS&C and both are integrated into planning 
and implementation processes. In the DHS Privacy Office, there has heen a liai- 
son with NPPD cyhersecurity organizations since the first EINSTEIN PIA was 
written; currently that position is Director, Privacy and Technology. This Direc- 
tor of Privacy and Technology was, for a period of time, embedded at the NSA 
as part of the development of the enhanced relationship between the NSA and 
DHS.i’ 

When I was Chief Privacy Officer, I actively participated in numerous cyberse- 
curity policy planning organizations within the Department. 

5. Involvement and Coordination on Standard Operating Procedures, and Oper- 
ational Aspects of DHS Cybersecurity Activities. — ^As part of its mission to imple- 
ment the FIPPs and to integrate privacy protections into DHS cyhersecurity ac- 
tivities, DHS privacy professionals review and provide comments and insight 
into cyhersecurity Standard Operating Procedures (SOPs) (including protocols 
for human analysis and retention of cyber alerts, signatures, and indicators for 
minimization of information that could be PII), statements of work, contracts, 
and international cyber-information sharing agreements. 

6. Cyber-specifie Privacy Training for Cybersecurity Analysts and Federal Pri- 
vacy Professionals. — These cyber privacy professionals provide cyber-specific pri- 
vacy training to cyhersecurity analysts to supplement the privacy training re- 
quired for DHS employees and contractors. In my opinion as a privacy profes- 
sional, the more relevant and concrete you can make privacy training, the more 
likely the audience will understand and incorporate privacy protections into 
their daily activities, thus increasing personal accountability. 

During my tenure, the Department also engaged in a year-long Speakers Series 
for members of the Federal Government community to discuss privacy and cy- 
bersecurity issues, and their impact on Federal operations.'^® The Federal Gov- 
ernment-wide access to the Speakers Series helped enhance awareness of the 
cyhersecurity and privacy issues, along with providing an interagency commu- 
nications channel on privacy and cyhersecurity questions. 

7. Accountability of the Cybersecurity Program Through Privacy Compliance Re- 
view. — ^An important tenet of the FIPPs is the concept of accountability — peri- 
odically reviewing and confirming that the privacy protections initially embed- 
ded into any program remain relevant, and that those protections are imple- 
mented. 

While I was DHS Chief Privacy Officer, I instituted “Privacy Compliance Re- 
views” (PCRs) to confirm the accountability of several of DHS’s programs.'® We 
designed the PCR to improve a program’s ability to comply with assurances 
made in PIAs, System of Records Notices, and formal information-sharing 
agreements. The Office conducts PCRs of on-going DHS programs with program 
staff to ascertain how required privacy protections are being implemented, and 
to identify areas for improvement. 

Given the importance of the DHS mission in cyhersecurity, the DHS Privacy Of- 
fice conducted a Privacy Compliance Review in late 2011, publishing it in early 
2012.^® The DHS Privacy Office found NPPD/CS&C generally compliant with 
the requirements outlined in the EINSTEIN 2 PIA and Initiative 3 Exercise 
PIA. Specifically, NPPD/CS&C was fully compliant on collection of information, 
use of information, internal sharing and external sharing with Federal agencies, 
and accountability requirements. 

My office made five recommendations to strengthen program oversight, external 
sharing, and bring NPPD/CS&C into full compliance with data retention and 
training requirements. NPPD agreed with our findings and, as I understand it, 
has taken multiple steps to address our recommendations. For example, in re- 
sponse to one of the recommendations, the NPPD Office of Privacy now conducts 
quarterly reviews of signatures and handling of personally identifiable informa- 
tion. These reviews have provided increased awareness to US-CERT Staff and 


Memorandum of Agreement Between The Department of Homeland Security and The Depart- 
ment of Defense Regarding Cyhersecurity, September 2010, available at: http: I lwww.dhs.gov ! 
xlibrary / assets i 20101 013-dod-dhscyber-moa.pdf. 

'®See DHS Privacy Office Annual Report, July 2011~June 2012 at 27 for a discussion of the 
four-part Speakers Series, available at: http: I lwww.dhs.gov ! sites ! default I files ! publications ! 
privacy / Reports ! dhs privacyoffice 2012annualreport September 2012.pdf. 

'®See id., DHS Privacy Office Annual Report, July 2011-June 2012 at 39-40 for a detailed 
discussion of Privacy Compliance Reviews. 

^^Privacy Compliance Review of the EINSTEIN Program, January 3, 2012, available at: 
http:! / www.dhs.gov ! xlibrary ! assets i privacy ! privacy privcomrev nppd ein.pdf. 
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has helped to build positive working relationships with cyber analysts and lead- 
ership. This is important in continuing to integrate cybersecurity and privacy, 
by understanding the impact of each. 

In addition, as this subcommittee knows, the DHS Chief Privacy Officer has 
unique investigatory authorities, therefore in the unlikely event that something 
went awry in the future, the Chief Privacy Officer can investigate those activi- 
ties.^i 


II. DHS CONTINUES TO INTEGRATE PRIVACY PROTECTIONS INTO ITS CYBERSECURITY 

PROGRAMS 

Since I left DHS, I know through public information that the Department con- 
tinues to work to embed privacy protections in its cybersecurity activities. 

A. DPIAC Cybersecurity Report 

The DPIAC issued a robust advisory paper for DHS to consider when imple- 
menting information-sharing pilots and programs with other entities, including the 
private sector .22 The report addresses two important questions in privacy and cyber- 
security — “what specific privacy protections should DHS consider when sharing in- 
formation from a cybersecurity pilot project with other agencies?” and “what privacy 
considerations should DHS include in evaluating the effectiveness of cybersecurity 
pilots?” 

The DPIAC report supported in large part what DHS had been doing with regard 
to privacy protections incorporated in its cybersecurity pilots and programs. DPIAC 
recommended the following best practices when sharing information from a cyberse- 
curity pilot project with other agencies: Incorporate the FIPPs into cybersecurity ac- 
tivities; develop and implement clear data minimization rules and policies; provide 
employees and public users of Federal systems notice and transparency of the collec- 
tion, use, and sharing of information for cybersecurity purposes; when engaging in 
information sharing that includes PII or content of private communications, infor- 
mation sharing should be limited to what is necessary to serve the pilot’s purposes 
(with defined limits on law enforcement. National security, and civilian agency shar- 
ing); have more robust safeguards for information from private networks; define 
data retention policies to keep records no longer than needed to fulfill the purpose 
of the pilot; and integrate privacy by design and privacy-enhancing technologies 
whenever possible. 

This type of insight from privacy advocates, academicians, and private-sector rep- 
resentatives will enhance DHS’ considerations of privacy-protective options when 
sharing cybersecurity information. 

B. Enhanced Cybersecurity Services PIA 

Furthermore, in January 2013, DHS published a thoughtful and comprehensive 
PIA covering the Enhanced Cybersecurity Services (ECS), a voluntary program 
based on the sharing of indicators of malicious cyber activity between DHS and par- 
ticipating Commercial Service Providers.^® The purpose of the program is to assist 
the owners and operators of critical infrastructure to enhance the protection of their 
systems from unauthorized access, exploitation, or data exfiltration through a vol- 
untary information-sharing program. ECS is intended to support U.S. critical infra- 
structure, however, pending deployment of EINSTEIN intrusion prevention capabili- 
ties, ECS may also be used to provide equivalent protection to participating Federal 
civilian Executive branch agencies.^"* 

The ECS PIA is exemplary of how to integrate privacy protections into cybersecu- 
rity programs, particularly when engaging in information sharing with the private 
sector. This ECS PIA is the culmination of all of the hard work that I summarized 
above, including the DPIAC cybersecurity report. 


210 U.S.C. § 142(b). See ibid., DHS Privacy Office Annual Report, July 2011-June 2012 at 40 
for a discussion of the DHS Chief Privacy Officer investigatory authorities. 

^^Report from the Cyber Subeommittee to the Data Privacy and Integrity Advisory Committee 
(DPIAC) on Privacy and Cybersecurity Pilots, Submitted by the DPIAC Cyberseeurity Sub- 
committee, November 2012, available at: http: ! Iwivw.dhs.gov t sites I default (files j publications t 
privacy j DPIAC Idpiac cyberpilots 1 0 29 2012.pdf. 

23 Privacy Impact Assessment for the Enhanced Cybersecurity Services (ECS), January 16, 

2013, DHS/NPPD/PIA028, available at: http: 1 1 www.dhs.gov I sites j default I files ! publications ! 
privacy ! privacy pia nppd ecs jan2013.pdf. 

24 This PIA consolidates and serves as a replacement to the two PIAs I mentioned earlier: 
DHS/NPPD/PIA-021 National Cyber Security Division Joint Cyberseeurity Services Pilot PIA, 
published on January 13, 2012, and the DHS/NPPD/PIA-021(a) National Cyber Security Divi- 
sion Joint Cyberseeurity Services Program (JCSP), Defense Industrial Base (DIB) — Enhanced Cy- 
bersecurity Services (DECS) PIA Update, published on July 18, 2012. 
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It is clear DHS continues to embed privacy protections into cybersecurity activi- 
ties. The information sharing and implementation standards described in the ECS 
PIA are concrete examples of privacy by design, and should well position DHS to 
effectively implement the increased information sharing mandated by the February 
12, 2013 Executive Order on Improving Critical Infrastructure Cybersecurity.^® 

C. EINSTEIN 3 Accelerated (E^A) PIA 

In addition, just this week, the Department announced that it will deploy EIN- 
STEIN 3 Accelerated (E®A) network intrusion prevention capabilities on Federal 
Government networks as a Managed Security Service provided by Internet Service 
Providers (ISPs), rather than placing the entire response on the Federal Govern- 
ment.^® 

The use of ISPs as a Managed Security Service is noteworthy from a privacy per- 
spective for several reasons. First, the coordination and collaboration of the “best 
of breed” Federal classified and unclassified capabilities combined with the 
nimbleness (and proprietary capabilities) of the private-sector ISPs will allow a 
more robust response to evolving cybersecurity threats. It is an important recogni- 
tion by DHS that Federal cybersecurity programs did not need to re-invent cyberse- 
curity protections when defending Federal Government networks, but could supple- 
ment existing commercial intrusion prevention security systems to provide a more 
robust prevention and detection regime for the Federal civilian Executive branch. 

Second, integrating cybersecurity threat detection and intrusion prevention will 
allow DHS to better detect, respond to, or appropriately counter, known or sus- 
pected cyber threats within the Federal network traffic it monitors, which helps pro- 
tect the target systems from unauthorized intrusions (and therefore implements the 
security FIPP). It is important to emphasize — E®A monitors only select internet traf- 
fic either destined to, or originating from. Federal civilian Executive branch depart- 
ments and agencies (commonly known as .gov traffic). This data minimization and 
segregation is also privacy-protective; the ISP Managed Security Service can be com- 
partmentalized to affect only .gov traffic. The participating agencies will identify a 
list of IP addresses for their networks and both CS&C cybersecurity analysts and 
the ISPs verify the accuracy of the list of IP addresses provided by the agency. 
CS&C SOPs are followed in the event of any out-of-range network traffic is identi- 
fied and the ISP removes any collected data to prevent any further collection of this 
network traffic. This too is a privacy-protective approach, further confirming that 
the only impacted traffic is Federal civilian Executive branch departments and 
agencies. 

DHS will share cyber threat information it receives through E®A consistent with 
its existing policies and procedures (which have been thoroughly reviewed by the 
Department’s cyber privacy professionals). In accordance with the SOPs and infor- 
mation-handling guidelines, all information that could be considered PH is reviewed 
prior to inclusion in any anal 3 dical product or other form of dissemination, and re- 
placed with a generic label when possible, again protecting privacy. The way E®A 
is structured should enhance privacy, protect the Federal civilian Executive branch 
departments and agencies, and provide a nimble response to the evolving cybersecu- 
rity threat. 

III. INTEGRATION OF PRIVACY PRINCIPLES INTO CYBERSECURITY IS CRUCIAL FOR 
EFFECTIVE CYBERSECURITY PROGRAMS 

The continued integration of privacy and cybersecurity is crucial for effective cy- 
bersecurity protections. In my experience based on 15 years as a privacy profes- 
sional as both outside counsel and chief privacy officer at DHS, it is clear that inte- 
grating privacy into the operational aspects of any activity makes the program both 
more effective and more likely to protect privacy. For example, providing tailored 
training, and engaging the analysts or employees in the field facilitates the integra- 
tion of privacy into daily operations. Ex ante review of programs and anticipating 
issues such as unintended uses, data minimization, and defined standards for infor- 
mation sharing are also important to confirm privacy protections are working 
throughout the life cycle of information collection. Embedding privacy protections 
into SOPs and information-handling guidelines help to further the goal of the 
project while assuring that privacy protections are systematically integrated into a 


Executive Order on Improving Critical Infrastructure Cybersecurity, available at: http:! / 
www.ivhitehouse.gov ! the-press-office / 2013102 1 12 / executive-order-improving-critical-infrastruc- 
ture-cybersecurity. 

^^Privacy Impact Assessment for EINSTEIN 3 — Accelerated (E^A), April 19, 2013 (DHS/PIAl 
NPPD-027), available at: http: ! I www.dhs.gov I sites ! default ! files ! publications (privacy ! PIAs ! 
PIA%20NPPD%20E3A%2020130419%20FINAL %20signed.pdf 
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program or service. Finally, transparency is the cornerstone for any privacy program 
to succeed. 

These privacy-by-design factors are important any time an organization incor- 
porates privacy into a new program, but they are particularly important with an 
operational cybersecurity program such the DHS National Cybersecurity Protection 
System which continuously counters emerging cybersecurity threats and applies ef- 
fective risk mitigation strategies to detect and deter these threats. Integrating pri- 
vacy from the beginning — and periodically testing to confirm that the integration 
continues — is the only way to effectively protect cybersecurity and privacy. In fact, 
if done right, increased cybersecurity also means increased privacy. 

To address threats and minimize the impact on Federal facilities and critical in- 
frastructure, key agencies and critical infrastructure companies must share informa- 
tion about cybersecurity threats. That said, such information sharing must occur in 
a thoughtful, clearly-designed process that also minimizes the impact on individual 
privacy. I believe that DHS has appropriately and effectively integrated privacy and 
cybersecurity both in its Federal Executive branch responsibilities and in its infor- 
mation-sharing responsibilities as articulated in the ECS and related cybersecurity 
PIAs. Currently, I advise private-sector clients that this privacy-by-design approach 
should be taken to most effectively combat cybersecurity threats by both increasing 
cybersecurity protections and protecting privacy. 

Thank you for the opportunity to appear before you this afternoon. I would be 
happy to take any questions you may have. 

Mr. Meehan. Thank you, Ms. Callahan. 

The Chairman now recognizes Ms. McGuire for your testimony. 

STATEMENT OF CHERI F. MCGUIRE, VICE PRESIDENT, GLOB- 
AL GOVERNMENT AFFAIRS & CYBERSECURITY POLICY, 

SYMANTEC 

Ms. McGuire. Chairman Meehan, Ranking Member Clarke, and 
distinguished Members of the subcommittee, thank you for the op- 
portunity also to testify today on behalf of Symantec corporation. 
We are the largest security software company in the world, with 
over 31 years of experience in providing security, storage, and sys- 
tems management solutions. With more than 21,000 employees and 
operations in more than 50 countries, protecting critical infrastruc- 
ture, Government, and citizens’ data is core to our mission and our 
business. 

My name is Cheri McGuire. I am the vice president for global 
government affairs in cybersecurity policy, where I lead a team 
that addresses the global public policy agenda for the company, in- 
cluding data integrity, critical infrastructure protection, cybersecu- 
rity, and privacy issues. 

At Symantec, we are committed to assuring the privacy, security, 
availability, and integrity of our customers’ information. Too often, 
security is portrayed as being in conflict with or somehow under- 
mining privacy. However, in the digital world, nothing could be fur- 
ther from the truth, because your privacy is only as secure as your 
data. Criminals and hackers, many of whom are well-funded and 
highly skilled, have built a business model based on their ability 
to steal and monetize personal information. 

Recent efforts to improve the Nation’s cybersecurity posture have 
recognized that privacy and security must be addressed in tandem. 
Symantec supports an approach that allows to us share threat indi- 
cators and related non-PII within industry and within Government. 

Now, I would like to talk briefly about today’s threat landscape. 
As we briefed the committee last week, our latest internet security 
threat report noted that, in 2012, approximately 93 million identi- 
ties were exposed through hacking, theft, and simple user error. 
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We also found that there was a 42 percent rise in targeted attacks, 
an increasing number which are directed at small businesses. 

Finally, we saw a 58 percent rise in attacks designed to go after 
mobile devices. Simply put, every year, threats are increasing and 
becoming more sophisticated. Sharing actionable threat and vulner- 
ability information is an essential element to combating threats 
like these. As a general rule, we believe that voluntary informa- 
tion-sharing programs are the best way to develop trusted partner- 
ships to achieve the best results. That trust is weakened when 
Government information-sharing mandates are imposed on indus- 
try. 

In order for information sharing to be effective it must be shared 
in a timely manner with the right people or organization and with 
the understanding that, as long as an entity shares information in 
good faith, it will not face legal liability. 

In addition, the Government must have the proper tools and au- 
thorities to disseminate information effectively. We were pleased 
that the Executive Order the President signed in February and leg- 
islation passed in the House last week sent a clear message to the 
Government that sharing actionable information for cybersecurity 
purposes with the private sector is both a priority and a necessity. 

Information sharing on cyber threats happens in a number of 
ways designed to protect our customers and their data. We get in- 
formation from a myriad of sources, from our customers, our part- 
ners, the Government and our network — and through our network, 
called the global intelligence network of 69 millions attack sensors. 

The information itself can be high-level threat data, details about 
a particular incident or attack, data signatures or other types of 
metadata. All of this data is then aggregated and analyzed, and 
during that process, we remove PII. Using this data, we develop 
machine-level signatures and other identifying information about 
specific pieces of malware and other threats. We also regularly 
publish analyses of attacks as well as white papers on current and 
future threat factors. 

In closing, Symantec is deeply committed to securing the privacy 
and security of our customers’ information. I hope that my testi- 
mony today has provided some insight into how we protect our cus- 
tomers’ privacy and share threat information with our various part- 
ners while also balancing that with the need for robust cybersecu- 
rity. Thank you, again, for the opportunity to testify today, and I 
am happy to answer any questions you may have. 

[The prepared statement of Ms. McGuire follows:] 

Prepared Statement of Cheri F. McGuire 

Chairman Meehan, Ranking Member Clarke, and distinguished Members of the 
subcommittee, thank you for the opportunity to testify today on behalf of Symantec 
Corporation. 

My name is Cheri McGuire and I am the vice president for global government af- 
fairs and cybersecurity policy at Symantec. I am responsible for Symantec’s global 
public policy agenda, including cybersecurity, data integrity, critical infrastructure 
protection (CIP), and privacy. In this capacity, I work extensively with industry and 
Government organizations, including serving from 2010 to 2012 as chair of the In- 
formation Technology Sector Coordinating Council (IT SCO — one of 16 critical sec- 
tors identified by the President and the U.S. Department of Homeland Security 
(DHS) to partner with the Government on CIP and cybersecurity. I also serve as 
a board member of the Information Technology Industry Council, the TechAmerica 
Commercial Policy Board, and the U.S. Information Technology Office (USITO) in 
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China, and am a past board member of the IT Information Sharing and Analysis 
Center (IT-ISAC). Prior to joining Symantec in August 2010, I was director for crit- 
ical infrastructure and cybersecurity in Microsoft’s Trustworthy Computing Group. 
Before joining Microsoft in 2008, I served in numerous positions at DHS, including 
as acting director and deputy director of the National Cyber Security Division and 
U.S. Computer Emergency Readiness Team (US-CERT). 

Symantec is the largest security software company in the world, with over 31 
years of experience in developing internet security technology. We are the global 
leader in providing security, storage, and systems management solutions to help 
consumers and organizations secure and manage their information and identities. 
We protect more people and businesses from more on-line threats than anyone in 
the world. Symantec has developed some of the most comprehensive sources of 
internet threat data through our Global Intelligence Network (GIN). Comprised of 
approximately 69 million attack sensors, the GIN records thousands of events per 
second and covers over 200 countries and territories 24 hours a day, 7 days a week. 
It allows us to capture world-wide security intelligence data that gives our analysts 
an unparalleled view of the entire internet threat landscape, including emerging 
cyber attack trends, malicious code activity, phishing, and spam. 

Symantec also maintains one of the world’s most comprehensive vulnerability 
databases, currently consisting of more than 51,000 recorded vulnerabilities (span- 
ning more than 2 decades) from over 16,000 vendors representing over 43,000 prod- 
ucts. Every day we process more than 3 billion e-mail messages and more than 1.4 
billion web requests across our 14 global data centers. In short, if there is a class 
of threat on the internet, Symantec knows about it. 

At Symantec, we are committed to assuring the privacy, security, availability, and 
integrity of our customers’ information. Too often security is portrayed as being in 
conflict with or somehow undermining privacy. In the digital world, nothing could 
be further from the truth, because your privacy is only as secure as your data. 

We welcome the opportunity to provide comments as the committee continues its 
important efforts to bolster the state of cybersecurity while protecting privacy in the 
United States and abroad. In my testimony today, I will provide the subcommittee 
with: 

• our latest analysis of the threat landscape as detailed in the just-released 
Symantec Internet Security Threat Report (ISTR), Volume 18; 

• our core privacy principles; 

• an overview of the current information-sharing environment; and 

• a summary of how we ensure privacy when we share threat information. 

today’s threat landscape 

We rely on technology for virtually every aspect of our lives, from driving to and 
from work, to mobile banking, to securing our most critical systems. As the use of 
technology increases so do the volume and sophistication of the threats. At 
Symantec, it is our goal to ensure that we are thinking ahead of the attackers. 
Looking at the current threat landscape is not enough — we must also keep our eyes 
on the horizon for evolving trends. 

In the latest Symantec Internet Security Threat Report (ISTR), we detail that in 
2012, approximately 93 million identities were exposed through hacking, theft, and 
simple error. That is 93 million individuals whose personal information is now po- 
tentially for sale in the black market — 93 million people who are at risk for credit 
card fraud, identity theft, and other illegal schemes. 

We also found that there was a 42 percent rise in targeted attacks last year.i It 
is almost certain that this trend will continue in the coming years. Conducting suc- 
cessful targeted attacks requires attackers to do research about the organizations 
they are seeking to penetrate, and often about specific people who work there. 
Attackers will mine the internet for information about how a company does business 
and use what they learn to craft personalized attacks designed to gain access to its 
systems. Once they gain access, they will move within a system, collecting informa- 
tion and staging data for exfiltration — the unauthorized transfer or release of data 
from a computer or server — to their own computers. Attackers can spend weeks and 
months covertly moving around a victim’s system, collecting e-mail, personal data, 
documents, intellectual property, and even trade secrets. 

We also saw a sharp rise in the exploitation of mobile malware. Last year, mobile 
malware increased by 58 percent, and 32 percent of all mobile threats attempted 
to steal personal information, such as e-mail addresses and phone numbers. Attacks 


^Symantec Internet Security Threat Report XVIII, April 2013. http:! ! www.symantec.coml 
security response /publications I threatreport.jsp. 



17 


on mobile devices will almost certainly continue to rise as we become ever more reli- 
ant on these devices to perform our daily activities, such as working, banking, shop- 
ping, and social networking. 

Another alarming finding was the rise of attacks on small and medium-size busi- 
nesses. In 2012, 50 percent of all targeted attacks were aimed at businesses with 
fewer than 2,500 employees, and the largest growth area for targeted attacks was 
aimed at businesses with fewer than 250 employees. Thirty-one percent of all at- 
tacks targeted them, up from 18 percent the year before. This likely stems from the 
fact that unlike large enterprises, smaller businesses often do not have the re- 
sources to install adequate security protocols, making them an easier target for 
attackers. Yet many of these small companies subcontract or work for larger compa- 
nies — and thus hold intellectual property and trade secrets coveted by attackers. As 
one of our security engineers likes to say, while every subcontractor may sign a 
strict non-disclosure agreement, the attacker who is sitting on that small company’s 
system is not bound by it. 

In sum, whether they are attacking our computers, mobile phones, or social net- 
works, cyber-criminals are looking to profit by spying on us or stealing our informa- 
tion. Our best defense is strong security, education, and good computer hygiene. 

PRIVACY AND SECURITY GO HAND-IN-HAND 

At Symantec, we are guided by the following privacy principles: First, customers 
should be empowered to decide how their personal information is used, and in- 
formed what — if anything — will be done with it. Second, privacy protections must 
be integrated into the development of products or services and not added as an 
afterthought. Finally, we all need to be proactive in protecting privacy — absent 
strong security, information is vulnerable. 

Criminals and hackers — many of whom are well-funded and highly skilled — have 
built a business model based on their ability to steal and monetize personal infor- 
mation. There is an entire criminal eco-system that trades in stolen personal infor- 
mation, as well as the tools and technology that allow them to steal more. Some 
of these criminal enterprises are so sophisticated that they provide 24/7 customer 
support, and offer guarantees that the stolen information they provide is valid. 

In the face of this criminal threat, it should go without sa3dng that strong security 
is essential to securing our personal data and private information. Simply put, if 
your data is not secure, then neither is your privacy. And, if you do not take steps 
to secure your own personal information, or the companies to which you entrust it 
do not do so, you are gambling with your privacy. When it comes to personal data, 
security measures and data protection are not an infringement on privacy but in- 
stead are the foundations of protecting it. 

Recent efforts to improve the Nation’s cybersecurity posture — whether legislative 
initiatives or Executive branch actions — have recognized that privacy and security 
must be addressed in tandem. The various bills in the House and the Senate have 
taken different approaches, but in the information-sharing area there is broad 
agreement that both the Government and the private sector need to be able to share 
cybersecurity information for cybersecurity purposes. This view also is shared by 
many prominent civil society organizations. Reaching consensus on the precise pa- 
rameters of those terms is where complications have arisen. Symantec supports an 
approach that allows us to share threat indicators and related non-Personally Iden- 
tifiable Information (PII) within industry and with the Government. In our view, 
companies should receive legal protection for sharing appropriate information with 
other companies or civilian agencies, and we believe that data minimization stand- 
ards are a reasonable approach. 

THE CURRENT INFORMATION-SHARING ENVIRONMENT 

Globally, there are many different information-sharing models, ranging from vol- 
untary programs to regulatory mandates to ad hoc arrangements to contractual 
agreements. Sharing can be Government-to-Government, business-to-business, and 
between Government and business. As a general rule, we believe that voluntary pro- 
grams — which of course leave space for contractual and ad hoc arrangements — are 
the best way to develop trusted partnerships to achieve the best results. In the 
United States, we have a voluntary framework based on the National Infrastructure 
Protection Plan (NIPP).^ The NIPP, as refined by the recent Presidential Decision 


^National Infrastructure Protection Plan (2009), http: 1 1 www.dhs.gov I xlibrary I assets I 
NIPP_Plan.pdf. 
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Directive 21, establishes 16 critical infrastructure sectors and identifies a sector-spe- 
cific Federal agency for each.^ 

Within each sector, there are Government Coordinating Councils (GCC) and Sec- 
tor Coordinating Councils (SCC). Nearly all sectors also have chartered Information 
Sharing and Analysis Centers (ISAC), operational entities that are tied to industry 
and serve as a focal point for voluntary information sharing. The level of trusted 
partnership and engagement among the GCCs, SCCs, and ISACs varies from sector 
to sector. Symantec has a long and successful history of participation and leadership 
in various multi-industry organizations as well as puhlic-private partnerships in the 
United States and globally, including the National Cyher-Forensics & Training Alli- 
ance (NCFTA), the IT-ISAC, the Industry Botnet Group Mitigation Initiative, and 
many others. 

Effective sharing of actionable information among the public and private sectors 
on cyber threats, vulnerabilities, and incidents is an essential component of improv- 
ing cybersecurity. It is important to recognize that information sharing is not an end 
goal, but rather is one of a number of tools to enhance the security of IT systems. 
Good information sharing provides situational awareness so that appropriate protec- 
tive and risk mitigation actions can be put into place. In order for information shar- 
ing to be effective, information must be shared in a timely manner, must be shared 
with the right people or civilian organizations, and must be shared with the under- 
standing that so long as an entity shares information in good faith, it will not face 
legal liability. 

The NCFTA provides a good example of how private industry and law enforce- 
ment partnerships can yield real-world success. NCTFA is a Pittsburgh-hased orga- 
nization that includes more than 80 industry partners — from financial services and 
telecommunications to manufacturing and others — working with Federal and inter- 
national partners to provide real-time cyber threat intelligence. 

The IT-ISAC is another example of a successful puhlic-private partnership. The 
group’s primary purpose is to allow organizations to exchange information about se- 
curity threats and vulnerabilities. Member companies report information concerning 
security problems that they have or solutions to such problems that they have 
found. Members also participate in National and homeland security efforts to 
strengthen IT infrastructure through cyber threat information sharing and analysis. 
The IT-ISAC also has an industry-funded representative that works at the National 
Cybersecurity & Communications Integration Center (NCCIC) to facilitate real-time 
information sharing and response. 

One of the most successful U.S. puhlic-private partnerships has been cybersecu- 
rity exercises. The level of engagement and resources brought to bear from the Gov- 
ernment and industry to jointly plan and develop scenarios, define information-shar- 
ing processes, and execute the exercises has been unprecedented. When done right, 
the lessons learned from these exercises have been invaluable to both industry and 
Government to help improve response plans and improve preparedness for future 
incidents. 

In addition, the Government must have the proper tools and authorities to dis- 
seminate information effectively. I have seen too many instances of the Government 
releasing information on cyber threats days and sometimes weeks after a threat has 
been identified. In many of these cases, by the time the Government releases the 
information it often has little use because the private sector has already identified 
and taken actions to mitigate the threat. There is no single solution that will elimi- 
nate these delays, but various legislative proposals move us one step closer to elimi- 
nating some of the legal harriers that currently impede sharing. Moreover, the Exec- 
utive Order (EO) the President signed in February 2013 sent a clear message to the 
Government that sharing information with the private sector is both a priority and 
a necessity.^ 

Further, we also support an incentive-based approach to information sharing. 
There is no doubt that businesses can gain a competitive advantage by not dis- 
closing information to their competitors. However, a well-incentivized program of 
collaboration can help offset those disadvantages and keep the information flowing 
freely. We also need to address policies that discourage businesses who would be 
willing to share information but choose not to because of fear of prosecution. There- 


^The 2009 National Infrastructure Protection Plan (http:/ / www.dhs.gov I xUbrary/ assets I 
NIPP Plan. pdf) identified 18 critical infrastructure sectors. Presidential Decision Directive 21 
(Critical Infrastructure Security and Resilience, signed February 12, 2013) revised that to 16. 
See http: / / www.whitehouse.gov / the-press-office / 2013 / 02 / 12 / presidential-policy-directive-crit- 
ical-infrastructure-security-and-resil. 

^See Executive Order 13636, “Improving Critical Infrastructure Cybersecurity,” 78 Fed. Reg. 
11739 (February 19, 2013). 
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fore, liability protections are necessary to improve bi-directional information shar- 
ing. 

As with any partnership, information sharing is founded upon and enabled by 
trust. That trust is weakened when Government information-sharing mandates are 
imposed on industry. Enhanced self-interest and a flexible approach are more likely 
to improve information sharing than Government mandates. 

PROTECTING PRIVACY AS WE SHARE THREAT INFORMATION 

At Symantec, we understand the vital importance of sharing information for cy- 
bersecurity awareness and response. We recognize that information stored on our 
servers is sensitive, confidential, and often personal in nature. Therefore, we take 
very seriously our role in safeguarding our customer’s personal information and go 
to great lengths to ensure that personal information remains private. 

Information pertaining to customers such as credit card information, addresses, 
or other PII is not shared under any circumstances unless we are compelled by law, 
following appropriate due process. In addition, we comply with the Payment Card 
Industry Data Security Standard and follow specific rules under our privacy pro- 
gram to ensure that we collect only data that is proportionate for the purposes for 
which it is collected, and that is relevant and necessary for the services provided. 

Information sharing on cyber threats happens in a number of ways and for var- 
ious reasons. We get information from myriad sources — from our customers, our 
partners, the Government, and our network of sensors. The information itself can 
be high-level threat data, details about a particular incident or attack, data signa- 
tures, or other information. All of this data is then aggregated and analyzed, and 
during that process we remove PII. The resulting work product can range from ma- 
chine-level signatures or identifying information for a specific piece of malware to 
a quick analysis of a particular attack to a published white paper on current and 
future threat vectors. This work product can then be provided to our customers and 
partners in both the private sector and the Government, depending on the par- 
ticular parameters of the sharing agreement. 

In some cases, the communication is purely bilateral — a customer provides us in- 
formation about activity on its system (either manually or through an automated 
sensor), and we report back on what we see happening. Other times we share it 
broadly, including sometimes publicly, but only after removing any PII to ensure 
that the report cannot be linked to a particular individual or customer. When we 
share reports on attack trends or publish white papers on particular threats, PII 
is removed as part of long-standing policy and we only share information directly 
related to the cyber threat. We have legal and organizational safeguards to ensure 
that information is only disclosed to the intended partners and only used for the 
expressed purpose. 

In closing, Symantec is deeply committed to securing the privacy and security of 
our customer’s information. Thank you again for the opportunity to testify, and I 
will be happy to answer any questions you may have. 

Mr. Meehan. Thank you, Ms. McGuire. 

The Chairman now recognizes Ms. Pearson to testify. 

STATEMENT OF HARRIET P. PEARSON, PARTNER, HOGAN 

LOVELLS 

Ms. Pearson. Thank you very much, Chairman Meehan, Rank- 
ing Member Clarke, and Members of the subcommittee. 

My name is Harriet Pearson. I am a partner in the Hogan 
Lovells law firm, where I focus on cybersecurity and privacy law. 
From November 2000 until July 2012, I served as the IBM corpora- 
tion’s chief privacy officer and security counsel, and I have been en- 
gaged in this area of privacy and security since the mid-1990s. 

Thank you for the opportunity to participate in today’s hearing 
on how we in the United States in the business community and in 
Government can protect our critical infrastructure from cyber- 
based threats while safeguarding individual privacy. 

Let me start with the observation that the relationship between 
cybersecurity and privacy is complex, as we have heard. On the one 
hand, cybersecurity that protects data from intrusion, theft, and 
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misuse obviously is a significant privacy safeguard that cannot be 
understated. On the other hand, some cybersecurity measures that 
monitor access and use of systems and digital networks can impli- 
cate the collection of personal information, or PIT, where data can 
be linked to individuals and thus raises some privacy concerns. 

Understanding that relationship and integrating privacy into cy- 
bersecurity has never been more important. As we have heard and 
as the committee well knows, the threat is out there. There are 
risks, and the risks come in multiple forms, particularly for those 
businesses that are part of the critical infrastructure and that have 
to take these measures. The private sector’s role in this respect is 
vital. You know that the critical information, much of it and much 
of the most valuable intellectual property of our society are owned 
and managed largely by the private sector. Therefore, the steps 
that companies take to safeguard their most precious possessions 
and assets and figuratively to lock up and secure their premises 
are very significant. Increasingly companies are stepping up to that 
challenge and taking those measures. 

Let me articulate a couple of, or give you a couple of examples 
of the kinds of measures that might implicate some level of collec- 
tion or access to potentially personal information. There are some 
measures, such as systems and network monitoring; you have to 
know what is going on in your systems. You might have to access 
and collect some personal information. Background checks, more of 
us are bringing our own devices and hooking them up to sensitive 
or important networks, and you have to make and take safeguards. 
Supply chain and vendor networks need to be secured, and some- 
times you need information. Information sharing, as has been dis- 
cussed with Government and other entities in the private sector, 
might also at times implicate some kind of personal information 
and thus steps need to be taken. 

My recommendations for how these concerns can be addressed 
start with the premise that it can be addressed. There are respon- 
sible ways and many organizations are already taking those steps 
in the business community. Some suggestions for how and observa- 
tions on how organizations are taking those steps include, first, we 
have talked already on the panel, and Chairman and Ranking 
Member talked about the Fair Information Practice Principles, or 
the FIPPs. That is an important acronym to keep in mind in my 
view. Applying the FIPPs is what privacy professionals do in the 
United States all day long, every day, in many situations. Applying 
FIPPs to information sharing and other cybersecurity measures 
and steps is absolutely critical. 

Second, one of the most foundational elements of the FIPPs is 
this notion of transparency, articulating what you are doing, edu- 
cating and being open about the steps taken, not of course to the 
degree that it compromises the important security measures that 
need to be taken but articulating it so that there is some under- 
standing of the measures and that there is some ability to say, 
hmm, what is going on, let’s have a conversation about it in the 
democratic tradition of the United States. 

Third, we have in this country a tradition of creating codes of 
conduct, voluntary measures that once organizations buy into them 
and engage in them, actually become quite important as a measure 
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of establishing base lines of behavior in business. I endorse the de- 
velopment of voluntary codes of conduct for the privacy-sensitive 
deployment of certain cybersecurity measures and programs that 
are common enough to warrant such effort. Examples of this might 
include information-sharing codes of conduct in which organiza- 
tions that engage in information-sharing partnerships with each 
other and with Governmental agencies developed and commit to 
adopt privacy-sensitive practices such as the one that Ms. McGuire 
mentioned. 

Another example is the new work that is being undertaken by 
NIST, as mandated by the recently-issued Executive Order on crit- 
ical infrastructure cybersecurity, to develop a privacy — to develop 
a cybersecurity framework. As you know, NIST is consulting with 
multiple stakeholders on the development of this kind of frame- 
work, and the committee can play an important role in asking 
about and looking at the kind of privacy for consideration built into 
that framework. 

Finally, through law, the expectations, responsibilities, and legal 
protections for privacy when data is shared or requested by Gov- 
ernment in particular need to be clear, and there have been certain 
legislation enacted through this house that have clarified the role 
and some important progress and language has been included in 
that and further efforts by Government and industry leaders out- 
side of this kind of legislation will also be useful to educate and en- 
able stakeholders involved in these activities to design privacy in 
information sharing and related activities. 

Thank you for the opportunity to appear before you today, and 
I will be happy to take questions. 

[The prepared statement of Ms. Pearson follows:] 

Prepared Statement of Harriet P. Pearson 
April 25, 2013 

Chairman Meehan, Ranking Member Clarke, and Members of the subcommittee, 
my name is Harriet Pearson and I am a partner in the Hogan Lovells law firm, 
where I focus on cybersecurity and privacy law.^ From November 2000 until July 
2012 I served as the IBM Corporation’s chief privacy officer and security counsel. 

Thank you for the opportunity to participate in this hearing on how we in the 
United States can protect our critical infrastructure from cyber-based threats while 
safeguarding individual privacy. 

The relationship between cybersecurity and privacy is complex. On the one hand, 
cybersecurity that protects data from intrusion, theft, and misuse obviously is a sig- 
nificant privacy safeguard. On the other hand, cybersecurity measures that monitor 
access and use can implicate the collection of personal information (or data that can 
be linked to individuals), and thus raises privacy concerns. 

Organizations of all types increasingly are taking steps to protect themselves and 
the people that rely on them from cyber-based threats. Cyber threats come from 
many different sources. The risk to information systems and the data that resides 
or travels on them can come from activists, criminals, or spies. Most of the time, 
these bad actors attack from outside the company; sometimes, they strike from with- 
in. Frequently they are enabled by the carelessness or inattention of otherwise well- 
meaning individuals who leave the digital analog of the front door open for easy 


^ My professional service includes membership on the advisory boards of the Future of Privacy 
Forum and the Electronic Privacy Information Center. I was a founding and long-time member 
of the board of the International Association of Privacy Professionals. I also serve on the Amer- 
ican Bar Association president’s Cybersecurity Legal Task Force, co-chair the Cybersecurity Law 
Institute of the Georgetown University Law Center, and was a member of the CSIS Commission 
on Cybersecurity for the 44th Presidency. The views I express are mine only, and are not offered 
on behalf of Hogan Lovells or its clients, or other organizations. 
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entry. And sometimes there is no affirmative attack at all, as in case where a sys- 
tem malfunction occurs or sensitive data is lost or misdirected by accident — pre- 
senting risks that are still quite significant if such information gets into the wrong 
hands. 

Since the critical infrastructure and the most valuable IP of our society are owned 
and managed largely by the private sector, the steps companies take to safeguard 
their most precious possessions and figuratively to lock their doors, close their win- 
dows, and make sure only authorized people and things cross the threshold are ex- 
actly the steps needed to improve cybersecurity for society at large. Sharing infor- 
mation about observed threat patterns and vulnerabilities with other companies and 
with appropriate authorities is also part of the mix. This is akin to participating 
in a neighborhood watch that involves proactive and collaborative engagement with 
law enforcement. 

While adoption of cybersecurity defenses will, as I noted, serve to protect personal 
data (indeed, there can be no data privacy without sufficient security, including cy- 
bersecurity), some of the defense techniques may require the monitoring or collec- 
tion of personal information, and thus implicate privacy concerns. 

• First, there is network and system monitoring. — Experts agree that in order to 
detect and defend against cyber attacks, organizations should be aware of how 
their information networks and IT systems are behaving. Such monitoring typi- 
cally is focused on non-personal information such as malware indicators, bad IP 
addresses, and network flow data. Of course, the more specifically one monitors, 
and potentially records, activity, the more potential there is that personal data 
will be part of the information reviewed and/or collected. 

• The next issue is that of background eheeks. — Not all cyber-defense measures in- 
volve cyber tactics. Organizations frequently find it prudent to conduct back- 
ground checks — at times quite extensive — on individuals with access to certain 
sensitive systems and data. By definition, background checks require the collec- 
tion and use of personal information. 

• A new aspect of data security arises from the “Bring Your Own Device” phe- 
nomenon. — ^An increasing number of organizations are allowing their workforce 
to use personally-owned smartphones, PCs, and other devices. The steps organi- 
zations take to secure such devices and the data that might be stored on them 
often involve access to personal data. 

• Steps taken to strengthen supply chain and vendor security may also raise pri- 
vacy issues. — Security-conscious enterprises understand that the weakest link in 
their organization may lie outside their formal control. Measures imposed on 
their vendors and suppliers may require those third parties to conduct back- 
ground checks and share other information that has privacy implications. 

• Information sharing with third parties and Government agencies means that 
personal information may be shared. — Finally, but importantly, experts agree 
that rapid and preferably automated cross-organizational sharing of cyber 
threat information is essential to help detect and defend against cyber attacks. 
And as Members well know, given the recent passage of H.R. 624, the Cyber 
Intelligence Sharing and Protection Act, there can be significant privacy issues 
raised by such sharing. 

While each of these areas of cybersecurity techniques raises privacy concerns, 
those concerns can be addressed responsibly. 

First, consistent with the well-known Fair Information Practice Principles,^ data 
collection should be thoughtfully limited; used only for the purpose of security or 
other carefully considered and approved purposes; retained only for as long as need- 
ed for security and other legitimate purposes; and shared only with those that need 
the data for security or other carefully considered and approved purposes, with ac- 
companying limitations on their sharing, use, and retention. These are concepts that 
privacy professionals in American business apply every day, and close collaboration 
between privacy professionals and security personnel at companies is essential to 
ensure that the security/privacy balance is correct and that Fair Information Prac- 
tice Principles are applied to design privacy into cybersecurity programs. 

Second, there should be transparency as to the cybersecurity measures that orga- 
nizations, especially operators of critical infrastructure, increasingly are using. 
Transparency is fundamental to the Fair Information Practice Principles. When im- 


^The U.S. privacy framework is based on underlying principles of fairness known as “Fair In- 
formation Practice Principles” or “FIPPs,” which were first developed in the United States in 
the 1970s and have since influenced every privacy law, regulation, or code of conduct adopted 
in this and many other nations. The Fair Information Practice Principles focus on empowering 
individuals to exercise control over personal information that pertains to them, and on ensuring 
that measures are taken to achieve adequate data security. 



23 


plemented, it reassures individuals that the processing of information that relates 
to them is not being done in secret, thus enabling them to pursue any recourse 
available if necessary. 

As it relates to cybersecurity measures, transparency would include encouraging 
companies that are deploying network and systems monitoring to disclose their use 
of such measures (not in sufficient detail as to defeat their operations, of course, 
but in enough detail that individuals know about the systems monitoring the use 
of workplace technologies and the like). The more we inform and educate each other 
about how cybersecurity systems work, and how privacy considerations are ad- 
dressed in their design and implementation, the more these measures are 
demystified. 

Third, I endorse the development of voluntary codes of conduct for the privacy- 
sensitive deplo3nnent of cybersecurity measures and programs that are common 
enough to warrant such effort. Examples might include information-sharing codes 
of conduct, in which organizations that engage in information-sharing partnerships 
with each other and with Governmental agencies develop and commit to adopting 
privacy-sensitive practices. Another example is new work by the National Institute 
for Standards and Technology as mandated by the recently-issued Executive Order 
on Improving Critical Infrastructure Cybersecurity, to develop a voluntary Cyberse- 
curity Framework that includes consideration of privacy. As you know, NIST will 
be consulting with stakeholders in both Government and industry as it develops the 
Framework. This subcommittee can keep the focus on privacy issues by showing in- 
terest in, and requesting to see, how privacy is integrated into NIST’s and others’ 
cybersecurity efforts. 

Finally, the expectations, responsibilities, and legal protections for privacy when 
data is shared with or requested by Government need to be clear. Legislation that 
clarifies the rules surrounding information sharing is a valuable first step, and it 
is encouraging to see that the privacy issues associated with information sharing 
have been discussed and that language addressing these issues has been included 
in the legislation proposed in this Congress. Further efforts by Government and in- 
dustry leaders, outside of new legislation, will also be useful to educate and enable 
stakeholders involved in these activities to design privacy into information sharing 
and related activities. 

Thank you for the opportunity to appear before you today and to present my 
thoughts on how we can achieve a meaningful balance between privacy and pro- 
tecting the United States’ critical infrastructure. 

Mr. Meehan. Thank you, Ms. Pearson. 

Thanks, each of you on the panel, for helping us to set the table 
on this issue. Let me begin, because I think that may be one of the 
places for us to begin to draw the parameters around this issue to 
get to the places where we think the real crux of the privacy issues 
find themselves. 

I was struck your testimony, Ms. Callahan, where you said, if 
done right, increased cybersecurity with appropriate standards and 
procedures also means increased privacy. 

Ms. McGuire, you testified that security is portrayed as being in 
conflict with or somehow undermining privacy; in the digital world, 
nothing could be further from the truth. 

Ms. Pearson, you discussed a little bit where there may be some 
sort of conflicts, but at the same time, there are some steps being 
taken. You talked about FIPPs. 

Maybe that is a good place to start. I would like your general ob- 
servations, each in order, about what you believe are the important 
steps that are being taken to create the privacy protections while 
we enable information to be shared and maybe specifically what 
FIPPs is and how that enhances this ability. Ms. Pearson or others, 
if you have an area in which you find you say “but,” don’t tell hesi- 
tate to tell us what the “but” is. 

Ms. Callahan, I will recognize you. 

Ms. McGuire, Ms. Pearson, in order. 

Ms. Callahan. Thank you very much, sir. 
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My testimony with regard to increased cybersecurity can enhance 
increased privacy goes to the FIPP of security because the informa- 
tion has to be kept secure; it has to be kept contained. Ms. 
McGuire testified about 93 million exposed identities, and those 
people did not have the FIPPs to protect them in that cir- 
cumstance. But what is important is the parenthetical that you 
read of mine, which is, you have to have the appropriate standards, 
procedures, and safeguards within that in order to protect that in- 
formation. 

Mr. Meehan. Can you take one moment and tell me 93,000 peo- 
ple — 

Ms. Callahan. Ninety-three million identities. 

Mr. Meehan [continuing]. Did not have the FIPPs. Would you 
explain what you mean by that? 

Ms. Callahan. It is Ms. McGuire’s number, but I think it in- 
volves data breaches, ma’am. 

Ms. McGuire. The number was 93 million identities that were 
lost or stolen in 2012, and that could be through any number. It 
could be cyber attacks, laptops stolen, et cetera. 

Mr. Meehan. Okay. 

Ms. Callahan. So the concept of unauthorized access, whether 
we are talking about it as a laptop or a device, as Ms. Pearson 
talked about, or an actual cyber attack, where an organized cyber 
criminal is taking the information. In that circumstance, not all 
FIPPs prevent. That is my point about security as an important 
element to the protection of privacy, because if you can’t keep the 
information secure, then you can’t have privacy, but you can en- 
hance it if indeed you have the proper safeguarding. 

Mr. Meehan. So, in other words, even though the Government 
may not be getting that information for 94 million people, it is al- 
ready out there in not only the private sector but out there in the 
world of criminality and otherwise. 

Ms. Callahan. That is correct. It could be as much as that. That 
we need to mitigate that and address that going forward. 

Mr. Meehan. Ms. McGuire. 

Ms. McGuire. So I think it might be useful for me to take a little 
bit about Symantec’s sort-of, our privacy principles, and we have 
three of those: First, that we believe that customers should be em- 
powered to decide how their personal information is used and in- 
formed what, if anything, will be done with it; and second, that pri- 
vacy protections must be integrated into the development of prod- 
ucts and services and not added as an after-thought; and finally, 
that we all need to be proactive in protecting our own privacy, and 
absent strong security, as I said before, information is vulnerable. 
We take a number of steps as a company to secure the privacy, the 
PIT information of our customers and our partners and those are 
tied directly to the FIPPs, as Ms. Callahan discussed, as well as 
a number of internal policies, privacy policies, and privacy impact 
tools that we use across our company. So I think it has to be a 
multi-pronged approach, both with informing customers as well as 
developing your own internal policies and practices to safeguard 
that personally identifiable information. 
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Mr. Meehan. Where do you come down on the industries devel- 
oping personal policies, hut where does the Government come in on 
creating policies that the industry needs to adhere to? 

Ms. McGuire. Well, I think that, as Ms. Pearson talked about, 
this notion of voluntary or codes of conduct that have been devel- 
oped over time, the adoption of those can be quite useful, as well 
as internationally developed standards that many times those 
codes of conduct form the basis for as it moves through the stand- 
ard development process. 

Mr. Meehan. I am worried about the changing nature of the 
threat and whether or not we will be able to create consistent, sort- 
of, this is today’s standard, it may be less relevant tomorrow if 
there are new technologies or new ways to get around it. 

Ms. McGuire. Well, I think you raise a very, very important 
point, and that is standards need to be flexible enough so that, as 
time evolves, the nature of the threat evolves, that they can 
evolve — the standard can evolve as well. Sometimes if they are 
written too tightly, they will constrict the ability to respond and 
deal with the next level of threat as it evolves. 

Mr. Meehan. Thank you. 

Ms. Pearson, my time is up, but your time is still ticking to an- 
swer and be responsive to any of the issues that were raised. 

Ms. Pearson. What I will say is that the Fair Information Prac- 
tice Principles were developed in the United States over 30 years 
ago, and they are still as good today as they were back then. So 
that shows the power of having principles that can guide our be- 
haviors. When it comes to identifying what kind of information you 
collect, if you are a business trying to protect your assets and your 
people and then share, there are some really foundational ques- 
tions, which is: What am I doing, what am I collecting, do I really 
need to collect it? The answer may be, no, or the answer may be 
I do collect a lot of information so that I can identify patterns, so 
I can see abhorrent uses, so I can secure my networks. Once you 
decide on kind of a principle level, what are you collecting, the 
question then becomes: What do you need to share it, what exactly 
do you need to share? From my own experience and personal expe- 
rience with my clients, I know that the vast majority of the infor- 
mation involved in addressing cyber threats has nothing to do with 
individuals. It is IP addresses. It is the signatures. It is very tech- 
nical information. So when it comes time to share that information, 
that really is not a privacy-related concern. Where there might be 
information that relates to individuals, then the question becomes: 
Do you need to share it? How important is it to the mission in- 
volved or to the goal? Are there abilities to strip or share or amass 
or protect that information? That is really the question. 

Operationally speaking, I see companies more and more being 
able to do that. I see innovation in the marketplace, American in- 
novation on the part of the companies, like Ms. McGuire’s and oth- 
ers, coming up the curve to help deal with that particular privacy 
issue and help address technical or operational or market meas- 
ures. That is what I see. 

Then, finally, as you deal with industry-to-Government, the ques- 
tion I think that you are all in an excellent place to address is: 
What will Government do with it? What will happen to it, and 
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what kind of assurances back and forth are in place to make pre- 
dictable to the American people and to business what happens to 
that information, including protecting its confidentiality for privacy 
purposes as well as business confidentiality purposes? 

Mr. Meehan. Thank you. 

My time has expired, and now, at the suggestion of the Ranking 
Member, we are going to go out of order and recognize the gentle- 
men from Nevada, Mr. Horsford, for questioning. 

Mr. Horsford. Thank you very much, Mr. Chairman. 

Thank you to the Ranking Member, I appreciate the courtesy to 
our witnesses, and thank you for being here. 

Just briefly, obviously, this is an important National security 
issue, and the need for qualified cybersecurity experts has grown 
at the same time. Everyone from our President to the GAO has 
said that we have to address this as a serious economic challenge, 
both in the public and private sectors. 

Now it appears that our ability to meet the cybersecurity work- 
force needs of the Nation are not fully understood or fully quan- 
tified. Would you recommend that the Federal Government work 
with the private sector as well as training and educational institu- 
tions to address the problem of kind of the workforce areas of cy- 
bersecurity? If so, how? 

Ms. McGuire. So, really important this issue of workforce devel- 
opment and education and training for the future cybersecurity ex- 
perts and workers of the future. Today, we have a number of pub- 
lic-private partnerships between industry and Government that 
have been quite effective. Unfortunately, they are not effective 
enough because the demand is so high for these types of high- 
skilled employees in the future, but things like the National Cyber- 
security Alliance, the National Initiative for Cyber Education, that 
DHS and NIST and the Department of Defense and Commerce are 
leading, those are the kinds of efforts, as well as National Science 
Foundation’s, Cyber Corps to train up that next generation. 

We need more of those kinds of programs, frankly, in order to 
meet the challenge of this deficit. It really is a deficit that we have. 
I can tell you today, as a company, we have more than a thousand 
openings, a thousand job openings, for high-skilled engineers, and 
we could go across any number of high-tech companies as well as 
manufacturing and other industries, who cannot meet the chal- 
lenge today. That really is impacting our country’s economics mov- 
ing forward. 

Ms. Callahan. I would note briefly the Secretary and Deputy 
Secretary have testified before this committee asking for such flexi- 
bility, and these initiatives that Ms. McGuire spoke about are help- 
ful, but I think that we need to do more to really help buttress the 
cybersecurity options. 

Ms. Pearson. One thought on privacy aspects here, as I have 
worked with cybersecurity professionals, the best ones have taken 
training and have an enormous degree of sensitivity to the impor- 
tance of privacy as they work on defending against attacks and also 
safeguarding information. So an element of cybersecurity curricula 
ought to be, and I believe it is in most of these programs, an ele- 
ment of data protection or privacy training as well. 
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Mr. Horsford. So gathering all of these, like you said, initiatives 
and public-private partnerships to know what is out there and 
what is working and where the gaps might be, steps this committee 
could take to move some ideas forward. 

Let me also ask, as I said, cyber threats are both in the private 
and public sector. I am from Nevada, and we have a large number 
of facilities critical to National security. The Nevada National Test 
Site is in my district, for example, and is a critical component to 
National security efforts. Obviously, do you agree that we need to 
do everything we can to protect these facilities? 

Ms. Callahan. Yes, absolutely. 

Ms. McGuire. Yes. 

Mr. Horsford. So my follow-up question is: In this budgetary 
environment, does the protection from cyber threats against our 
National security facilities need to be a budget priority? 

Ms. McGuire. We have stated during this uncomfortable period 
of sequestration and some of the cuts that are going on, that cyber- 
security issues should be at the forefront and a priority to not be 
taking the scalpel to at this point in time. I think you can look at 
any number of reports, whether they are our report or others, as 
well as reports coming out of various agencies, that this is not the 
time to be putting our critical infrastructure, our National security 
apparatus at risk. 

Mr. Horsford. Thank you very much, Mr. Chairman. 

Thank you to the Ranking Member, again, for the courtesy. 

Mr. Meehan. I thank the gentlemen for taking the time to join 
us today. I know he had conflicts in his schedule. It is deeply ap- 
preciated. 

Also, for the record, I think we all share the genuine appreciation 
to assure the adequate funding for this very, very important area, 
although this is one of the areas, actually the budget was plussed 
up in this area, which was, in this day, a victory, where staying 
even is the new staying ahead; that was a good result. 

At this moment, the Chairman now recognizes the gentleman 
from Montana, Mr. Daines. 

Mr. Daines. Thank you, Mr. Chairman. 

I was — my last 12 years in the private sector before I came to 
Congress here in January was actually the cloud computing com- 
pany that we took public in global operations. So we were very 
much in the midst of denial-of-service attacks and I guess living in 
the world you all live in every day. 

We had a case one time where the Federal Government came 
asking for customer data regarding a threat to our National secu- 
rity; in fact, it was the Secret Service that approached us, and we 
refused to give the information up, saying this was customers’ data; 
it was not our data, ultimately. The Secret Service moves quickly, 
and a subpoena came about 2 hours later, and then we had a proc- 
ess where we could hand the data over to investigate the situation. 

What do you think is the minimum amount of data, talking 
about the balance of privacy and protecting our country and indus- 
try from cyber attacks, what is the minimum amount of data that 
you think we need to adequately trace back a cyber attack? I would 
love to get opinions on that. 
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Ms. McGuire. So I think there is often a lot of questions around 
IP addresses and whether or not that is considered PII or not. In 
our view, IP addresses are really a pointer back to a specific threat, 
and they need to be aggregated with other information in order to 
actually resolve back to an individual. So, at the face value, be- 
cause we get this question a lot, are IP addresses PII, and there 
is a little bit of a gray area there; sometimes they can be, but gen- 
erally they are not. So I think this goes to the crux of the broader 
issue around attribution and the difficulty we have with attribution 
today because IP addresses are not generally static; there are con- 
stantly changing. So to your question around what is or isn’t, it is 
not always clear, but I think if you have the proper standards and 
practices and policies in place to make sure that privacy or PII in- 
formation and privacy is protected, that you are on the right side 
of the issue. 

Ms. Callahan. I would add, for the Department of Homeland Se- 
curity, when I was there, the way they would address it is that 
there were these signatures or indicators that may or may not con- 
tain what could be personally identifiable information. Ms. 
McGuire mentioned IP address. There also may be other indica- 
tions that could be personally identifiable information. So what the 
Department has done, due to its standard operating procedures, is 
to look at that and see whether or not that personally identifiable 
information needs to be shared or information that could be person- 
ally identifiable needs to be shared as part of the signature or indi- 
cator. If it does, then it has to be approved by a supervisor to make 
sure that it indeed is consistent with the SOP. So if it is necessary, 
that information will be shared, but you have to analyze it to make 
sure that it is not just being shared because it is easier. 

Mr. Daines. Ms. Pearson. 

Ms. Pearson. I agree with my colleagues. Most of the time, piec- 
ing together what happened or what is the source does not really 
require access to personally identifiable information, but sometimes 
it does. It is a little bit like detective work. I think you can avoid 
that kind of data to some degree, but sometimes, it is just embed- 
ded in systems. It is embedded in the kind of thinking you have 
to do. It is not just the digital detective work; sometimes you have 
to think about, for example, was somebody trying to — and this is 
an amalgam of client experiences I have had — is somebody trying 
to get at a system using a mix of physical as well as digital meas- 
ures? So then the question becomes: Well, who had access, phys- 
ically who had access? That is the kind of information that might 
be collected and might conceivably be shared with law enforcement 
because fundamentally most of this kind of activity we are talking 
about is against the law. 

Mr. Daines. Right. Let me ask you this, Wayne Gretzky made 
the famous comment, “skate to where the puck is going.” In this 
very dynamic and world of innovation and break fix, and things 
change within minutes and hours; you talked a bit about tech- 
nology that could be used to minimize data as it is coming in as 
it is relates to privacy. Where do you see that headed as — of course, 
we have had a lot of concerns from our constituents about the 
whole privacy issue, but where do you think this is all headed here 
when you make advancements in technology that can cost-effec- 
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tively minimize data, still allows us to investigate but yet protects 
the privacy of our constituents? 

Ms. Pearson. My own view is that the market speaks, and as 
the market looks for solutions like this, that protected security by 
either requesting or rewarding the ability to manage in mass data, 
then these solutions are technically feasible and have already been 
invented, frankly, and it is a matter of commercializing them, 
doing what you did, taking it to the market. 

One thing to note, in my view also, is that we are here talking 
about homeland security issues, cybersecurity issues as it relates 
to that aspect, but there are so many other reasons that companies 
need to keep information secure and confidential. There are other 
sources of legal obligation. There are other sources of reputational 
issues. 

Mr. Daines. The forces of competition. 

Ms. Pearson. The forces of competition are absolutely there, and 
the innovations available to embed, whether it is cloud computing 
or in new ways of segmenting information on devices that we all 
carry and use these days, are available or are coming. It is a mat- 
ter, I think, of pooling them. 

Mr. Daines. I know my time is up. I would love to have Ms. 
McGuire answer that if I could, Mr. Chairman. 

Mr. Meehan. The Chairman would allow Ms. McGuire to share 
her instincts on this. 

Ms. McGuire. Thank you. I think there are — there is a lot of 
work being done in this area as far as innovation with moving to 
machine, really machine-to-machine readable data, so that people 
don’t even get into the middle of this. It is about really identifying 
at the front end when the data is coming in what would be consid- 
ered PIT so that maybe a human never actually even looks at it. 
So I think that is certainly a direction that we need to go in when 
we are talking about this kind of information sharing for cyberse- 
curity protection. That is, I think, is a major innovation the indus- 
try is moving towards today. 

Mr. Daines. Thank you. 

Mr. Meehan. Thank you, Mr. Daines. 

The Chairman now recognizes the Ranking Member, the 
gentlelady, Ms. Clarke. 

Ms. Clarke. Thank you very much, Mr. Chairman. 

I thank the panelists once again for bringing their expertise to 
bear on this very timely issue. There are two central privacy con- 
cerns when we talk about private-sector collaboration with the Gov- 
ernment to stop cyber attacks, are over what information gets sent 
and who in the Government it is sent to. Various legislative ap- 
proaches to these two questions have been quite controversial and 
is something we in Congress are still struggling to get right. 

So I want to ask the panel three questions: How much minimiza- 
tion of the information should be required from the private sector 
side when sharing information? Does too much minimization place 
an undue burden on companies, and where is the right place in the 
Government for this sharing to occur? 

Ms. Callahan. Thank you very much. Ranking Member Clarke. 
The concept of minimization is an important tenant of the FIPPs 
and one that the DHS applied very consistently through its stand- 
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ard operating procedures when I was there, and I believe continues 
to do so. With that said, how much minimization is appropriate, 
necessary from the private sector? I don’t think the question how 
much is — I think it is more to think about how to effectively and 
efficiently implement it, rather than putting the burden on the pri- 
vate sector to go through all these laborious steps, but if they ad- 
dress it, either through machine-to-machine readable that Ms. 
McGuire spoke about, or through other standard policies and proce- 
dures, like the Department has been implementing, which is kind 
of now like muscle memory in terms of how to implement it, I 
think it can be an effective tool in order to share timely informa- 
tion on threats without unduly burdening privacy. 

Ms. McGuire. From our perspective, we think that reasonable 
minimization standards or practices as are outlined in the FIPPs 
is appropriate and is not an undue burden for industry. At least 
from our perspective, we do that today. 

As far as your question about where should the information-shar- 
ing relationship reside within the Government today, our view is 
that it should reside with the civilian agency and for a couple of 
reasons. One is, we believe that it sends the right message to our 
citizens and to other governments. We have a long tradition of — 
in this country of being a civilian-led government, and we also be- 
lieve that the civilian agencies today have a framework in place to 
work with the private industry. 

If you look at the level of investment over the last 10 years, that 
industry as well as Government has put into the public/private 
partnerships, for example, that DHS today is the focal point and 
lead for with the participation of the rest of the associated agencies 
as well as the Department of Defense, we believe that we should 
build on that foundation and not, you know, spend another 10 
years trying to create something that, while we need improve- 
ments, we can utilize and build on today. 

Ms. Pearson. Let me add my perspective on this. In terms of 
data minimization, one thing to note would be that, by far, the ma- 
jority, if not every single organization, the private sector that I 
have seen, no one is eager to open the door and hand over informa- 
tion to Government unless there is process of some sort, some rules 
around it. The gentleman spoke about a subpoena or some kind of 
legal structure, and I think the minimization of information to be 
handed over or to be shared or to be allowed to access to, a lot of 
that motivation is there already. So in terms of standards, I think 
educating and putting that thought process into, for example, the 
new NIST cybersecurity framework so that it is put in there as 
other elements are put in as a voluntary framework that we all 
know will be quite influential. I think is very important to send a 
signal and the expectation there. 

Certain businesses and organizations in the private sector have 
more sophistication than others, and so I think as well for smaller 
and medium-sized businesses, particularly that thought process 
and the technology of how to do that, I think, will be perhaps more 
challenging than other large organizations, so that is an open issue 
that I don’t have a solution for at this moment, but again, you 
know, I would point to it. 
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Then, finally, in terms of the right place or the central location, 
I guess my observation would be that in the last number of years 
that I have been working in this area, that there has been a col- 
laboration among agencies as everyone has sorted through who has 
expertise, how do you go about doing this, how do you work with 
the private sector, and that collaboration today, while imperfect, no 
doubt, has been effective and has shown a regard for the mission 
and the objective over a regard for individual organizational dy- 
namics, and that, I think, is the most important element to con- 
tinue. 

I share Ms. McGuire’s general view of the importance of civilian- 
led engagement, but I also am cognizant of the fact that there have 
been collaborations that have been very effective and worthwhile 
that have been handled primarily through the military more or 
military agencies. 

Ms. Clarke. Very well. Thank you very much. 

I yield back, Mr. Chairman. 

Mr. Meehan. I thank the gentlelady. 

The Chairman now recognizes the gentleman, the former pros- 
ecutor for Massachusetts, Mr. Keating. 

Mr. Keating. Thank you, Mr. Chairman, Ranking Member. 

I just had a question. There has been a lot of discussion about 
the private-sector involvement, the Governmental involvement. To 
what extent are universities and colleges involved in dealing with 
this issue, trying to seek resolution, trying to do research, looking 
at programs? What is your experience about their involvement in 
this and how has that been utilized by either government or the 
private sector? Anyone? 

Ms. Callahan. I guess I will start. So, there is a great deal of 
research going on with cybersecurity and cybersecurity protections. 
There is also a lot of integration among the different colleges to 
help protect it. In addition, as you note, sir, the colleges themselves 
have potentially critical infrastructure information or research in- 
formation that they will need to protect themselves. So, from the 
Department’s perspective, they have been — they were — when I was 
there, and I think they have continued since I have left, continued 
to do outreach to try to help bolster both the cybersecurity training 
that Ms. McGuire spoke about but also to help bolster the research 
involved therein. 

Ms. Pearson. The additional observation I will make is that uni- 
versities and colleges in our country are among the most privacy- 
sensitive organizations, particularly because they are Federally 
statutorily mandated to protect educational records, and so I think 
from a privacy side of the cybersecurity equation, they would be 
among the institutions I would say would be most sensitive to the 
aspects of what to do to monitor systems to, you know, protect in- 
formation that way. 

They also, as a group, happen to have access to some of the lead- 
ing-edge innovation in intellectual property in this country, and so 
incenting them and helping universities identify their crown jewels 
and to encourage them to protect is, I think, an important attribute 
of what we are doing as a strategy and National strategy, and you 
know, I think that is important. 
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Mr. Keating. I believe there is a middle ground myself that they 
could really occupy, where they don’t have a commercial interest as 
much as some cyber, you know, some private-sector sides. The ad- 
ditional benefit of investing in universities will address one of the 
other issues that were brought up. As we are using and utilizing 
universities, we are going to have more trained people available in 
the workforce, so that is a major side benefit of doing that, so I 
just 

Ms. McGuire. I would also just add that the academic institu- 
tions and universities have been involved in this information shar- 
ing for quite awhile now with their research and education net- 
working, information sharing and analysis center, the REN-ISAC 
as it is called. It is actually a consortium of universities that share 
threat and other types of data amongst themselves so that they can 
help to bolster their own protections, and that has been in exist- 
ence for over 10 years now. So I think it is important that we also 
make sure that they are a part of this information-sharing partner- 
ship as well moving forward. 

Mr. Keating. You know, I do believe there is a greater place for 
them in adopting some policies and using some of that innovation 
and some of the models that might be there. 

Quick question. Let’s assume there is a major cyber attack, at- 
tack on systems, something that would have a dramatic effect on 
our economy. Now, there will be a reaction to that. What would be 
the one thing you would not want to see Government react to per- 
haps that would be overreacting to such a major, major event, be- 
cause there will be reaction when that happens, and there will be 
a suddenness if we don’t move on our own ahead of time? What 
would be your greatest fear that Government would overreact in 
that kind of situation? 

Ms. McGuire. I think there is two. One is on the operational 
real-world side, which is that — and this goes back to that attribu- 
tion question that we talked about earlier, that perhaps there 
might be some kind of defensive posture taken that is more detri- 
mental as an outcome than the attack itself and perhaps targets 
the wrong systems or networks as part of that defense. 

The second piece is really around policy, and that is that when 
we — when we see big events of other types in the past, we can 
often get a knee-jerk reaction in the development of policy or rules 
and regulations that may not, may not always be as conducive in 
the long run while they are trying to address the short-term issue 
to our ability to protect ourselves for the long term. So those are 
the two areas. 

Mr. Keating. Thank you, Mr. Chairman. I yield back. 

Mr. Meehan. Thank you, Mr. Keating. 

The Chairman now recognizes the gentleman from Texas, Mr. 
Vela. No questions at this point in time. Thank you. I am very 
grateful for your taking the time to join us, Mr. Vela, and notwith- 
standing. 

If the — no objection, I have a few follow-up questions on some 
issues that I would like to have you further clarify. 

The panel has talked a number of times today about personally 
identifiable information sort of in the context of other questions, 
but I think there is a fundamental question: Just what do you be- 
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lieve personally identifiable information might be? Then, what is 
threat information, and how are they distinguished? Are there sim- 
ilarities? Help me to help others understand what you think those 
terms mean. 

Ms. Callahan. I guess I will go first. So, there is a kind of tradi- 
tional definition of personally identifiable information which is as- 
sociated with an individual, name, email address, social security 
number, telephone number, and that has traditionally been the def- 
inition of personally identifiable information. There has been an 
approach to broaden that for information that is identified or could 
be identified with an individual, and that is the current Federal 
definition of personally identifiable information, so you could have 
some liaison information with it. 

In fact, the Federal Trade Commission, on a slight different note 
actually has now included IP address, MAC address associated 
with mobile devices and other information that is personally identi- 
fiable information in their rule on children’s privacy. So it is kind 
of a little bit of a moving target. 

With regard to Department of Homeland Security and how they 
think about personally identifiable information in the cyber con- 
text, they look at information, including IP address, and they pre- 
sume that it is personal information, so this data mineralization 
process I spoke about earlier with the gentleman from Montana 
talks about let’s presume that an email address or an IP address 
is personal information, is it necessary to be included in the signa- 
ture or the threat information? 

Mr. Meehan. Right. 

Ms. Callahan. It is a broad definition, and then the analysis is 
whether or not it should be included in the threat. But as my col- 
leagues noted earlier, the vast majority of time, even that broad 
definition of personally identifiable information isn’t necessary to 
include in the threat. 

Mr. Meehan. Now, how about because we are watching — and I 
think there was some testimony. I know it was in the written testi- 
mony. We have seen a tremendous expansion in the amount of mo- 
bile devices that are now being used as back doors to that, so is 
that expanding on the amount of information that may be getting 
caught up in the net if we are starting to do more to look after pro- 
tecting against violations that happen on personal devices? 

Ms. McGuire. Yeah. I think there is no question that the pro- 
liferation of different devices and ways for us to connect to the 
internet and to move our data around creates a larger attack sur- 
face, if you will, and more opportunities for the bad guys to access 
our personal information. So, you know, things like FIPPs and 
other kinds of policies to protect your private data, coupled with all 
of the necessary security that you need to have on all of those de- 
vices, they have to be done, done together to ensure, at least pro- 
vide a level of assurance that your information and your privacy 
is secured. 

Ms. Pearson. So let’s take a really concrete example. Let’s say 
you are a business with a few thousand employees and you allow 
employees to use their smartphones or iPads, or you know, device 
and connect and do work, and let’s say that somebody who operates 
your systems sees some weird behavior, and they say: Well, what 
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is going on? They look to see, and it is some of the source of that 
information, of that aberration is coming from a few of the devices 
that are hooked up to the network. What is collected is system in- 
formation and device information to find out what is going on, what 
is the source of it. That is threat information. That is the kind of 
information, when you are in a business, you are collecting. 

The next question is: Well, do you share it with anybody? Do you 
go to one of these information-sharing collaboratives with industry 
and then say: I have seen something; have you seen something? 
You compare notes. It is kind of like a Neighborhood Watch. You 
say, well, you know, this is kind of happening in my neck of the 
woods, my neighborhood. 

Most of the information — all the information in that context is 
not identifiable information because you are just saying, well, I 
have got devices, and this is what I have seen. The question that 
turns it from threat information that is non-PII to personal infor- 
mation is if you have reason to say: Oh, and that device belonged 
to X. 

Mr. Meehan. Why would you say that, though? Is there a cir- 
cumstance where you would? 

Ms. Pearson. In a situation I just painted where you are trying 
to figure out what is going on, probably not. If there is reason to 
think that some — that whoever had that device needs to be con- 
tacted to be asked questions or maybe there was something going 
on, perhaps then there might be, which is why I think all of us in 
our remarks have talked about how the majority of information in 
the cyber context is not PII, but sometimes it might be, and then 
it becomes a matter of safeguarding and treating that information 
well. 

That is, I think the danger of trying to overcircumscribe how this 
stuff works because it is very — it is complex, it is changing, the 
technology is changing, and the way to address these issues today 
is very different from what it was even a couple of years ago and 
it will change going forward. 

Mr. Meehan. Go ahead and recognize my Ranking Member for 
some follow-up questions as well. 

Ms. Clarke. 

Ms. Clarke. Thank you, Mr. Chairman. 

You know, this is such a fascinating area that we are engaged 
with right now, and we are really just at the beginning of what can 
ultimately be a way of life for us because the technologies is ever- 
evolving, but I have a question about data breach information, obli- 
gations, rather. 

When a company is hacked, what is its obligation to its cus- 
tomers? What is its obligations to its employees and its share- 
holders? Do you think that current law is sufficient to compel cor- 
porations to give their stakeholders the information they need? 
That is one question. 

Then I want to ask another very important question because this 
is over time. So, over the past decade, we have witnessed an explo- 
sion in the usage of the internet for all aspects of everyday life. 
Networking technologies have now fully penetrated our civil soci- 
ety. Many are worried about the intended and unintended con- 
sequences of this. Some have talked about changing expectation of 
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privacy as a result of the internet. Many people have mused that 
no one will be able to run for President in the future due to the 
amount of information about us through social media, whether it 
is Facebook, Linkedin, all of these things that reveal so much 
about us. Do you think that these technologies are changing how 
we think of our privacy? How do you see the internet affecting our 
conception of privacy in the future? 

Ms. Pearson. Really simple questions. Can I start? 

Ms. Callahan. Sure. Go ahead. 

Ms. Pearson. I will start with the second one first. That is the 
broad question, I think, of our time for those of us who work in this 
area daily. There is something — every realm, every type of new 
technology that has some implication for the collection manage- 
ment of information over time, starting with, you know, even before 
the camera, but the camera is kind of a modern era start of the 
technology cycle that has led us to camera to telegraph to tele- 
phone to video, et cetera, et cetera, prompts this question, and we 
as a society search for the answer, and we as an American society 
have come up with a unique blend of mechanisms, law enforce- 
ment, policies, norms to answer it for ourselves as a people. 

This current era in which we live is a very rapid technology 
cycle, and the rapidity of it has challenged our whole concept. So 
while I resisted tweeting that I was coming in here, I will tweet 
on my way out, and it is, I think, the generation to come, the dig- 
ital native generation will reflexively, I think, engage in this infor- 
mation sharing, to speak of another kind of information-sharing ac- 
tivity, much more normally and as regularly than we might. But 
I believe firmly, and I think there are studies that show it academi- 
cally that the human psyche needs a zone of privacy, and it just 
needs to express itself in different ways, given the parameters of 
what we are living in. 

So I firmly believe that despite some of the rhetoric around here, 
humans have, American — you know, in our American society, but 
globally, some sort of psychological need for a zone in which to ex- 
press oneself, and you Imow, in our country, I think the challenge 
will be to reinvent that for the coming era and figure out what the 
laws and norms are around it. 

Ms. McGuire. I will take the first question on data breach first. 
Clearly, companies have a series of obligations to inform their cus- 
tomers, their employees, and their shareholders. 

Today, however, we do have a patchwork of regulation around 
that. I think we have 48 different State laws, and that can be dif- 
ficult for companies to scale to when they have experienced an un- 
fortunate data breach issue. So having some commonality around 
what that reporting should be, I think, at least from our perspec- 
tive, would be desirable. 

On the second question around internet — the increasing use of 
internet and how it is changing and evolving our perceptions on 
privacy, there is no question that I think, as Ms. Pearson stated, 
that there is a big difference between, you know, the over-30 gen- 
eration and the under-30 generation on how we perceive our pri- 
vacy and our own information. 

I was part of a panel a couple of weeks ago on privacy and secu- 
rity where we were discussing the changing nature of anonymity 
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on the internet and the role that that will play in regard to future 
views on privacy. So I think we are starting to see a huge evo- 
lution, if you will, just in how we are going to be thinking about 
these issues in the future. 

Ms. Callahan. If I could have two small points on both ques- 
tions. You asked about data breach obligations, and I think it is 
worthwhile to note that the patchwork of State laws that Ms. 
McGuire mentioned involved a very narrow definition of personally 
identifiable information. So it would be first and last name, coupled 
with a sensitive identifier, such as social security number, but 
there can be many cyber breaches that may not reach the level of 
a data breach for notification. 

Now, there is — so it is almost two different types of breaches, a 
cybersecurity incident and a data breach incident. With that said, 
there is guidance from the SEC that public companies should notify 
about if there has been an incident, but they also should notify 
whether or not there is a possibility or some sort of problems, and 
I think that is worth noting in terms of your shareholder question. 

With regard to the internet, I think that the FIPPs of user con- 
trol and transparency are going to be important tenets as we get 
into this kind of ubiquitous always on-line information. You should 
know what is being happening with information and how you as an 
individual can control it. I think that will help define privacy in the 
future. 

Mr. Meehan. Well, I thank you. Let me ask one sort of closing 
question to the extent you feel comfortable answering it, because 
obviously as we work through, this is one example, although one 
of the critically important issues that we are dealing with as we 
try to find a framework for legislation that helps us find the very 
balance that we are exploring today. So, if you were in our shoes 
and you were writing the legislation, how would you look to write 
something that accommodates the concerns that we are sharing 
today? What would be in that legislation to help, you know, limit 
the sharing of PIT but still encourage the ability for us to get the 
necessary threat information that we need to protect? 

Then what kind of rules do you think we should be putting in 
place to encourage and give guidance to companies to allow them 
to feel comfortable doing information sharing, in fact, to encourage 
it, because part of the fear is if you have outliers that don’t partici- 
pate, as you have stated, the weakest link may be the avenue in, 
how do we make sure that we do the most to protect our system? 

So, you are the legislators and we have got to go to draft, what 
would be included to address those issues? I will ask you to move 
across. 

Ms. Callahan. Well, thank you very much, and I am happy to 
be a legislator. I enjoyed my time in the Executive branch, but I 
look forward to being on your side. No, just kidding. 

If I were writing the legislation, I would want to make sure that 
this — that the FIPPs were thoroughly integrated into the legisla- 
tion, and we have spoken a lot about how effective that is and how 
it is a framework, and it is very flexible, and I think those are im- 
portant tenets to put in there. We don’t want to be too prescriptive, 
we don’t want to be too specific, but we want to have the frame- 
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work and the concepts, and I think data minimalization from the 
information sharing is a very important tenet. 

With regard to the types of rules to he put in place, FIPPs, obvi- 
ously, hut I will also say that the NIST cybersecurity framework 
that is currently going on with the Executive Order can be a very 
useful tool to help all the small- and medium-sized enterprises who 
are going to be sharing information as well as the large multi- 
national ones have the same kind of baseline and not try to re- 
invent the wheel. 

Ms. McGuire. I largely agree with everything that Ms. Callahan 
has said, but I will just add that I think there is one or two addi- 
tional pieces. In addition to the FIPPs components and building on 
the existing frameworks that we have in place today, those two key 
pieces are that civilian agency, as a lead, I think, are very impor- 
tant to ensuring that our citizens feel comfortable that their per- 
sonal information is not somehow being used for purposes other 
than securing networks and systems, and also the legal liability 
issue for companies especially to feel comfortable to share informa- 
tion with the Government. 

Today we are — we have a very laborious process. If we want to 
share something that is not part of a contractual arrangement that 
exists today, a business arrangement with Government agencies, 
that can take a lot of time, and oftentimes the information becomes 
stale. 

Mr. Meehan. They say in a moment where we are talking micro- 
seconds sometimes about information being relevant to preventing 
a threat. 

Ms. McGuire. Yes. Information becomes stale very quickly, and 
so today we have to go through a series of internal privacy checks 
as well as legal checks and antitrust checks if we want to share 
with other companies even. As you can imagine, that takes a lot 
of time and resources when time is often of the essence. 

Mr. Meehan. Thank you. 

Ms. Pearson. 

Ms. Pearson. I also largely agree with my colleagues. The addi- 
tional couple of points I would make is that as legislators, the over- 
sight function that you have the ability to play should not be un- 
derestimated at all and should continue to be exercised, particu- 
larly in this area, to make sure that the agencies involved and the 
stakeholders involved are discharging for obligations here. I think 
that is very important. 

Another point to make is that certainty is important. Certainty 
is important to business, of course, and I know from my service on, 
for example, the American Bar Association Cybersecurity Legal 
Task Force, which cuts across the entire bar association and other 
fora that, as a whole, the members of the bar who are counseling 
companies across the board, different industries, are coming off the 
curb, so to speak, on their understanding how the different laws 
here intersect with one another and work with another, whether it 
is antitrust or privacy or other things, and encouraging that kind 
of maturation, I think, for example, by holding briefings, by 

Mr. Meehan. Are you saying that they are beginning to under- 
stand the parameters and more effectively counsel their clients as 
to what they may or may not do? 
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Ms. Pearson. It is a complex — as you noted before, it is a com- 
plex area of law, and the challenge with security and securing is 
that it implicates so many areas of law, current law and then a lot 
of the law that is coming. So what I see happening is more and 
more, you know, the defense industrial-based pilot, for example, 
was it a fantastically successful pilot? As involvement of industry 
broadens in the framework at NIST and the voluntary efforts, so 
is an additional expansion of individuals, particularly in the legal 
community who are starting to understand how to put all those 
pieces together, and so that should be encouraged, in my view. 

Mr. Meehan. Well, I think we have time constraints, so I want 
to express my deep appreciation. I think we could go on with this 
hearing well into the evening hours, but I need to respect 
everybody’s time, and I particularly appreciate the work that each 
and every one of you has done, not just in the preparation for this 
hearing, but your long period of service in what is a vital and im- 
portant area now for our Nation as we move forward trying to find 
the right balance on this and the other questions that are relevant 
to the challenge that we face. 

I don’t think anybody denies or is running from the true nature 
of the very real threat that exists out there in the cyber world that 
is affecting people in so many different capacities, but I also am 
confident in our capacity to meet the challenge if we do it with 
enough forethought. 

So I thank you for having very, very valuable testimony to this 
consideration as we work together as a committee to try to reach 
the right challenge in the bills that we will propose. There may be 
Members from the committee who have a question, and if they do 
and they submit it to you, I would ask that you do your best to try 
to respond in writing, if that should happen. But I thank you for 
your continuing work and I look forward to continuing dialogue as 
we move through on this very important issue. 

I thank the Members of the committee. The committee now 
stands — subcommittee now stands adjourned. 

[Whereupon, at 3:44 p.m., the subcommittee was adjourned.] 
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